Analysis Report yu6NsfbmMAuL173.exe

AV Detection:

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	ReversingLabs: Detection: 29%
Source: C:\Users\user\AppData\Roaming\gcRBzS.exe	ReversingLabs: Detection: 29%

Multi AV Scanner detection for submitted file

Source: yu6NsfbmMAuL173.exe

ReversingLabs: Detection: 29%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\gcRBzS.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: yu6NsfbmMAuL173.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 30.2.IbdGY.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 13.2.yu6NsfbmMAuL173.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: yu6NsfbmMAuL173.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: yu6NsfbmMAuL173.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.7:49749 -> 209.99.16.240:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.7:49750 -> 209.99.16.240:587

Urls found in memory or binary data

Source: yu6NsfbmMAuL173.exe, 0000000D.00000002.494549176.0000000002DB1000.00000004.00000001.sdmp, IbdGY.exe, 0000001E.00000002.494305804.00000000031B1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: IbdGY.exe, 0000001E.00000002.494305804.00000000031B1000.00000004.00000001.sdmp	String found in binary or memory: http://CwUVnG.com
Source: IbdGY.exe, 0000001E.00000002.494305804.00000000031B1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.224520797.000000000605B000.00000004.00000001.sdmp, yu6NsfbmMAuL173.exe, 00000000.00000002.304732094.0000000007252000.00000004.00000001.sdmp, IbdGY.exe, 00000014.00000002.437770742.00000000058B0000.00000002.00000001.sdmp, IbdGY.exe, 00000017.00000002.444174133.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.224465511.000000000605B000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.comz
Source: yu6NsfbmMAuL173.exe, 00000000.00000002.297932819.0000000003131000.00000004.00000001.sdmp, IbdGY.exe, 00000014.00000002.426011624.0000000002831000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: yu6NsfbmMAuL173.exe, 00000000.00000002.304732094.0000000007252000.00000004.00000001.sdmp, IbdGY.exe, 00000014.00000002.437770742.00000000058B0000.00000002.00000001.sdmp, IbdGY.exe, 00000017.00000002.444174133.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.229525317.0000000006063000.00000004.00000001.sdmp, yu6NsfbmMAuL173.exe, 00000000.00000003.229154913.0000000006063000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.227926952.000000000605E000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.227682938.000000000605E000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com.k
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.228091323.000000000605B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comJh/
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.228091323.000000000605B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comTC
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.228091323.000000000605B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comar
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.227926952.000000000605E000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comea
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.227926952.000000000605E000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comgo
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.228091323.000000000605B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comic
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.227545406.000000000605E000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comkn
Source: yu6NsfbmMAuL173.exe, 00000000.00000002.304732094.0000000007252000.00000004.00000001.sdmp, IbdGY.exe, 00000014.00000002.437770742.00000000058B0000.00000002.00000001.sdmp, IbdGY.exe, 00000017.00000002.444174133.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.228294614.000000000605B000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comn-u
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.227545406.000000000605E000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comuct
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.228000486.000000000605E000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comup
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.227761646.000000000605E000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comypoT
Source: yu6NsfbmMAuL173.exe, 00000000.00000002.304732094.0000000007252000.00000004.00000001.sdmp, IbdGY.exe, 00000014.00000002.437770742.00000000058B0000.00000002.00000001.sdmp, IbdGY.exe, 00000017.00000002.444174133.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: IbdGY.exe, 00000017.00000002.444174133.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.232269738.0000000006061000.00000004.00000001.sdmp, yu6NsfbmMAuL173.exe, 00000000.00000003.232219928.0000000006061000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: yu6NsfbmMAuL173.exe, 00000000.00000002.304732094.0000000007252000.00000004.00000001.sdmp, IbdGY.exe, 00000014.00000002.437770742.00000000058B0000.00000002.00000001.sdmp, IbdGY.exe, 00000017.00000002.444174133.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.233505819.000000000607E000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: yu6NsfbmMAuL173.exe, 00000000.00000002.304732094.0000000007252000.00000004.00000001.sdmp, IbdGY.exe, 00000014.00000002.437770742.00000000058B0000.00000002.00000001.sdmp, IbdGY.exe, 00000017.00000002.444174133.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.233029651.000000000607E000.00000004.00000001.sdmp, yu6NsfbmMAuL173.exe, 00000000.00000003.232934611.000000000605B000.00000004.00000001.sdmp, yu6NsfbmMAuL173.exe, 00000000.00000002.304732094.0000000007252000.00000004.00000001.sdmp, IbdGY.exe, 00000014.00000002.437770742.00000000058B0000.00000002.00000001.sdmp, IbdGY.exe, 00000017.00000002.444174133.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.233069005.000000000605B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers4
Source: yu6NsfbmMAuL173.exe, 00000000.00000002.304732094.0000000007252000.00000004.00000001.sdmp, IbdGY.exe, 00000014.00000002.437770742.00000000058B0000.00000002.00000001.sdmp, IbdGY.exe, 00000017.00000002.444174133.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.232324890.0000000006061000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers:
Source: yu6NsfbmMAuL173.exe, 00000000.00000002.304732094.0000000007252000.00000004.00000001.sdmp, IbdGY.exe, 00000014.00000002.437770742.00000000058B0000.00000002.00000001.sdmp, IbdGY.exe, 00000017.00000002.444174133.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: yu6NsfbmMAuL173.exe, 00000000.00000002.304732094.0000000007252000.00000004.00000001.sdmp, IbdGY.exe, 00000014.00000002.437770742.00000000058B0000.00000002.00000001.sdmp, IbdGY.exe, 00000017.00000002.444174133.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.232694728.000000000605B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersers
Source: yu6NsfbmMAuL173.exe, 00000000.00000002.297682507.0000000001917000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.come.com
Source: yu6NsfbmMAuL173.exe, 00000000.00000002.297682507.0000000001917000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: yu6NsfbmMAuL173.exe, 00000000.00000002.304732094.0000000007252000.00000004.00000001.sdmp, IbdGY.exe, 00000014.00000002.437770742.00000000058B0000.00000002.00000001.sdmp, IbdGY.exe, 00000017.00000002.444174133.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.228638084.000000000605B000.00000004.00000001.sdmp, IbdGY.exe, 00000014.00000002.437770742.00000000058B0000.00000002.00000001.sdmp, IbdGY.exe, 00000017.00000002.444174133.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.226494251.000000000605E000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn&
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.225956426.000000000605B000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: yu6NsfbmMAuL173.exe, 00000000.00000002.304732094.0000000007252000.00000004.00000001.sdmp, IbdGY.exe, 00000014.00000002.437770742.00000000058B0000.00000002.00000001.sdmp, IbdGY.exe, 00000017.00000002.444174133.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: yu6NsfbmMAuL173.exe, 00000000.00000002.304732094.0000000007252000.00000004.00000001.sdmp, IbdGY.exe, 00000014.00000002.437770742.00000000058B0000.00000002.00000001.sdmp, IbdGY.exe, 00000017.00000002.444174133.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.226653046.000000000605F000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/o#
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.227926952.000000000605E000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnT
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.226416249.0000000006064000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnddV
Source: yu6NsfbmMAuL173.exe, 00000000.00000002.304732094.0000000007252000.00000004.00000001.sdmp, IbdGY.exe, 00000014.00000002.437770742.00000000058B0000.00000002.00000001.sdmp, IbdGY.exe, 00000017.00000002.444174133.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.238061147.000000000605B000.00000004.00000001.sdmp, yu6NsfbmMAuL173.exe, 00000000.00000002.304732094.0000000007252000.00000004.00000001.sdmp, IbdGY.exe, 00000014.00000002.437770742.00000000058B0000.00000002.00000001.sdmp, IbdGY.exe, 00000017.00000002.444174133.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.237284106.000000000605B000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm~
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.225877277.000000000605B000.00000004.00000001.sdmp, IbdGY.exe, 00000014.00000002.437770742.00000000058B0000.00000002.00000001.sdmp, IbdGY.exe, 00000017.00000002.444174133.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.225877277.000000000605B000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.krtp
Source: yu6NsfbmMAuL173.exe, 00000000.00000002.304732094.0000000007252000.00000004.00000001.sdmp, IbdGY.exe, 00000014.00000002.437770742.00000000058B0000.00000002.00000001.sdmp, IbdGY.exe, 00000017.00000002.444174133.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.236349828.000000000605B000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.N
Source: yu6NsfbmMAuL173.exe, 00000000.00000002.304732094.0000000007252000.00000004.00000001.sdmp, yu6NsfbmMAuL173.exe, 00000000.00000003.223674610.0000000006042000.00000004.00000001.sdmp, IbdGY.exe, 00000014.00000002.437770742.00000000058B0000.00000002.00000001.sdmp, IbdGY.exe, 00000017.00000002.444174133.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.229193965.0000000006063000.00000004.00000001.sdmp, IbdGY.exe, 00000014.00000002.437770742.00000000058B0000.00000002.00000001.sdmp, IbdGY.exe, 00000017.00000002.444174133.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.225877277.000000000605B000.00000004.00000001.sdmp, IbdGY.exe, 00000014.00000002.437770742.00000000058B0000.00000002.00000001.sdmp, IbdGY.exe, 00000017.00000002.444174133.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.225956426.000000000605B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr(
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.225877277.000000000605B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kra-d)
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.225877277.000000000605B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krim
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.225877277.000000000605B000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krlw
Source: IbdGY.exe, 00000017.00000002.444174133.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.227017789.000000000605B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com(
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.228212676.000000000605B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comf
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.228212676.000000000605B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comslnt
Source: yu6NsfbmMAuL173.exe, 00000000.00000002.304732094.0000000007252000.00000004.00000001.sdmp, IbdGY.exe, 00000014.00000002.437770742.00000000058B0000.00000002.00000001.sdmp, IbdGY.exe, 00000017.00000002.444174133.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.232002686.0000000006061000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: yu6NsfbmMAuL173.exe, 00000000.00000002.304732094.0000000007252000.00000004.00000001.sdmp, IbdGY.exe, 00000014.00000002.437770742.00000000058B0000.00000002.00000001.sdmp, IbdGY.exe, 00000017.00000002.444174133.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.233948789.0000000006067000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deFg
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.232002686.0000000006061000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.dey
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.227359227.000000000605F000.00000004.00000001.sdmp, IbdGY.exe, 00000014.00000002.437770742.00000000058B0000.00000002.00000001.sdmp, IbdGY.exe, 00000017.00000002.444174133.0000000005970000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.227926952.000000000605E000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnJh/
Source: yu6NsfbmMAuL173.exe, 00000000.00000003.227545406.000000000605E000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cno.
Source: yu6NsfbmMAuL173.exe, 00000000.00000002.299428163.000000000460C000.00000004.00000001.sdmp, yu6NsfbmMAuL173.exe, 0000000D.00000002.489406446.0000000000402000.00000040.00000001.sdmp, IbdGY.exe, 00000014.00000002.433247429.0000000003D0C000.00000004.00000001.sdmp, IbdGY.exe, 00000017.00000002.440787859.0000000003F0C000.00000004.00000001.sdmp, IbdGY.exe, 0000001E.00000002.489364201.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: yu6NsfbmMAuL173.exe, 0000000D.00000002.494549176.0000000002DB1000.00000004.00000001.sdmp, IbdGY.exe, 0000001E.00000002.494305804.00000000031B1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: yu6NsfbmMAuL173.exe, 00000000.00000002.297457268.00000000014B8000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

.NET source code contains very large array initializations

Source: 13.2.yu6NsfbmMAuL173.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b12C20899u002d81A7u002d4C80u002d9B3Cu002d14F41E4705FCu007d/u0039FFFBE46u002d470Fu002d4B94u002d91C6u002dF7C726149032.cs	Large array initialization: .cctor: array initializer size 11977
Source: 30.2.IbdGY.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b12C20899u002d81A7u002d4C80u002d9B3Cu002d14F41E4705FCu007d/u0039FFFBE46u002d470Fu002d4B94u002d91C6u002dF7C726149032.cs	Large array initialization: .cctor: array initializer size 11977

Detected potential crypto function

Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Code function: 0_2_00CB6DA3		0_2_00CB6DA3
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Code function: 0_2_00CB67C0		0_2_00CB67C0
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Code function: 0_2_0149F460		0_2_0149F460
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Code function: 0_2_0149F470		0_2_0149F470
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Code function: 0_2_0149D4FC		0_2_0149D4FC
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Code function: 13_2_009967C0		13_2_009967C0
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Code function: 13_2_00996DA3		13_2_00996DA3
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Code function: 13_2_02C24860		13_2_02C24860
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Code function: 13_2_02C247D3		13_2_02C247D3
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Code function: 13_2_02C24853		13_2_02C24853
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Code function: 13_2_02C24810		13_2_02C24810
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Code function: 20_2_005567C0		20_2_005567C0
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Code function: 20_2_00556DA3		20_2_00556DA3
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Code function: 20_2_026BF460		20_2_026BF460
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Code function: 20_2_026BF470		20_2_026BF470
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Code function: 20_2_026BD4FC		20_2_026BD4FC
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Code function: 20_2_0532FB50		20_2_0532FB50
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Code function: 20_2_0532B8A0		20_2_0532B8A0
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Code function: 23_2_005E6DA3		23_2_005E6DA3
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Code function: 23_2_005E67C0		23_2_005E67C0
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Code function: 23_2_0288D4FC		23_2_0288D4FC
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Code function: 23_2_0288F460		23_2_0288F460
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Code function: 23_2_0288F470		23_2_0288F470
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Code function: 23_2_06C03DEC		23_2_06C03DEC
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Code function: 30_2_00EA6DA3		30_2_00EA6DA3
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Code function: 30_2_00EA67C0		30_2_00EA67C0
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Code function: 30_2_017A4860		30_2_017A4860
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Code function: 30_2_017A5530		30_2_017A5530
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Code function: 30_2_017A3D8C		30_2_017A3D8C
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Code function: 30_2_017A4770		30_2_017A4770
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Code function: 30_2_017A47D3		30_2_017A47D3
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Code function: 30_2_017A4853		30_2_017A4853
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Code function: 30_2_017A5550		30_2_017A5550

Sample file is different than original file name gathered from version info

Source: yu6NsfbmMAuL173.exe	Binary or memory string: OriginalFilename vs yu6NsfbmMAuL173.exe
Source: yu6NsfbmMAuL173.exe, 00000000.00000002.299428163.000000000460C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLbJMoZaoNxcHnZoPWdYczmHqJQyfHYPKJQtDxGd.exe4 vs yu6NsfbmMAuL173.exe
Source: yu6NsfbmMAuL173.exe, 00000000.00000002.298209195.0000000004273000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCVG vs yu6NsfbmMAuL173.exe
Source: yu6NsfbmMAuL173.exe, 00000000.00000002.307279667.00000000098C0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs yu6NsfbmMAuL173.exe
Source: yu6NsfbmMAuL173.exe, 00000000.00000002.307665545.00000000099C0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs yu6NsfbmMAuL173.exe
Source: yu6NsfbmMAuL173.exe, 00000000.00000002.307665545.00000000099C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs yu6NsfbmMAuL173.exe
Source: yu6NsfbmMAuL173.exe	Binary or memory string: OriginalFilename vs yu6NsfbmMAuL173.exe
Source: yu6NsfbmMAuL173.exe, 0000000D.00000002.489406446.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameLbJMoZaoNxcHnZoPWdYczmHqJQyfHYPKJQtDxGd.exe4 vs yu6NsfbmMAuL173.exe
Source: yu6NsfbmMAuL173.exe	Binary or memory string: OriginalFilenameCVG vs yu6NsfbmMAuL173.exe

Uses 32bit PE files

Source: yu6NsfbmMAuL173.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: yu6NsfbmMAuL173.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: gcRBzS.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: IbdGY.exe.13.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

.NET source code contains calls to encryption/decryption functions

Source: 13.2.yu6NsfbmMAuL173.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 13.2.yu6NsfbmMAuL173.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 30.2.IbdGY.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 30.2.IbdGY.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@13/7@0/0

Creates files inside the user directory

Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe

File created: C:\Users\user\AppData\Roaming\gcRBzS.exe

Jump to behavior

Creates mutexes

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1048:120:WilError_01
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Mutant created: \Sessions\1\BaseNamedObjects\kSJkJRVtr
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4480:120:WilError_01

Creates temporary files

Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe

File created: C:\Users\user\AppData\Local\Temp\tmpD2EA.tmp

Jump to behavior

PE file has an executable .text section and no other executable section

Source: yu6NsfbmMAuL173.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Queries process information (via WMI, Win32_Process)

Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Reads ini files

Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Source: yu6NsfbmMAuL173.exe

ReversingLabs: Detection: 29%

Sample reads its own file content

Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe

File read: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe 'C:\Users\user\Desktop\yu6NsfbmMAuL173.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gcRBzS' /XML 'C:\Users\user\AppData\Local\Temp\tmpD2EA.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe 'C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe 'C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gcRBzS' /XML 'C:\Users\user\AppData\Local\Temp\tmpC2C9.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe {path}
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gcRBzS' /XML 'C:\Users\user\AppData\Local\Temp\tmpD2EA.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process created: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe {path}			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gcRBzS' /XML 'C:\Users\user\AppData\Local\Temp\tmpC2C9.tmp'			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process created: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe {path}			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE file contains a COM descriptor data directory

Source: yu6NsfbmMAuL173.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: yu6NsfbmMAuL173.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Source: yu6NsfbmMAuL173.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

Binary contains a suspicious time stamp

Source: initial sample

Static PE information: 0x889910FB [Fri Aug 15 16:25:31 2042 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Code function: 0_2_00CB7DC9 push es; iretd		0_2_00CB7F96
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Code function: 0_2_0149E520 push esp; retf		0_2_0149E521
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Code function: 13_2_00997DC9 push es; iretd		13_2_00997F96
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Code function: 20_2_00557DC9 push es; iretd		20_2_00557F96
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Code function: 20_2_026BE520 push esp; retf		20_2_026BE521
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Code function: 23_2_005E7DC9 push es; iretd		23_2_005E7F96
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Code function: 23_2_0288E520 push esp; retf		23_2_0288E521
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Code function: 30_2_00EA7DC9 push es; iretd		30_2_00EA7F96

Binary may include packed or encrypted code

Source: initial sample	Static PE information: section name: .text entropy: 7.94842919046
Source: initial sample	Static PE information: section name: .text entropy: 7.94842919046
Source: initial sample	Static PE information: section name: .text entropy: 7.94842919046

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	File created: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe			Jump to dropped file
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	File created: C:\Users\user\AppData\Roaming\gcRBzS.exe			Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gcRBzS' /XML 'C:\Users\user\AppData\Local\Temp\tmpD2EA.tmp'

Creates an autostart registry key

Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run IbdGY			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run IbdGY			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe

File opened: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe:Zone.Identifier read attributes | delete

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: yu6NsfbmMAuL173.exe, 00000000.00000002.297932819.0000000003131000.00000004.00000001.sdmp, IbdGY.exe, 00000014.00000002.426011624.0000000002831000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: yu6NsfbmMAuL173.exe, 00000000.00000002.297932819.0000000003131000.00000004.00000001.sdmp, IbdGY.exe, 00000014.00000002.426011624.0000000002831000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion			Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Window / User API: threadDelayed 2574			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Window / User API: threadDelayed 7265			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Window / User API: threadDelayed 735			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Window / User API: threadDelayed 9113			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe TID: 6464	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe TID: 6152	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe TID: 6764	Thread sleep time: -26747778906878833s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe TID: 5292	Thread sleep count: 2574 > 30			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe TID: 5292	Thread sleep count: 7265 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe TID: 6300	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe TID: 6540	Thread sleep time: -11068046444225724s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe TID: 5392	Thread sleep count: 735 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe TID: 5392	Thread sleep count: 9113 > 30			Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: IbdGY.exe, 00000014.00000002.439918097.00000000085D0000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: yu6NsfbmMAuL173.exe, 00000000.00000002.297329985.0000000001305000.00000004.00000020.sdmp	Binary or memory string: \REGISTRY\USER\S-1-5-21-3853321935-\Registry\Machine\Software\Classes\WO\REGISTR\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\
Source: IbdGY.exe, 00000014.00000002.426011624.0000000002831000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: yu6NsfbmMAuL173.exe, 00000000.00000002.297932819.0000000003131000.00000004.00000001.sdmp	Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware T
Source: IbdGY.exe, 00000014.00000002.426011624.0000000002831000.00000004.00000001.sdmp	Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: yu6NsfbmMAuL173.exe, 00000000.00000002.297535742.0000000001541000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:^
Source: yu6NsfbmMAuL173.exe, 00000000.00000002.297329985.0000000001305000.00000004.00000020.sdmp	Binary or memory string: y\Machine\Software\Classes\AppID\yu6NsfbmMAuL173.exec.\VMware Toolsditions8C75-C6B61110B681}\Instance\Disabled75-C6B61110B681}\Instance\Disabledolders
Source: IbdGY.exe, 00000014.00000002.426011624.0000000002831000.00000004.00000001.sdmp	Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
Source: yu6NsfbmMAuL173.exe, 00000000.00000002.306377642.0000000008D80000.00000004.00000001.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareSE_T2KD9Win32_VideoControllerPCU9HCFSVideoCon
Source: IbdGY.exe, 00000014.00000002.426011624.0000000002831000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: IbdGY.exe, 00000014.00000002.439918097.00000000085D0000.00000004.00000001.sdmp	Binary or memory string: Win32_VideoController(Standard display types)VMwareSE_T2KD9Win32_VideoControllerPCU9HCFSVideoController120060621000000.000000-000409165.9display.infMSBDAGVOGNO8NPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsCG747G6D
Source: yu6NsfbmMAuL173.exe, 00000000.00000002.297932819.0000000003131000.00000004.00000001.sdmp	Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware T(
Source: IbdGY.exe, 00000014.00000002.426011624.0000000002831000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II

Queries a list of all running processes

Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process token adjusted: Debug			Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gcRBzS' /XML 'C:\Users\user\AppData\Local\Temp\tmpD2EA.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Process created: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe {path}			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gcRBzS' /XML 'C:\Users\user\AppData\Local\Temp\tmpC2C9.tmp'			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Process created: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe {path}			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: yu6NsfbmMAuL173.exe, 0000000D.00000002.493511244.0000000001730000.00000002.00000001.sdmp, IbdGY.exe, 0000001E.00000002.493824170.0000000001C80000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: yu6NsfbmMAuL173.exe, 0000000D.00000002.493511244.0000000001730000.00000002.00000001.sdmp, IbdGY.exe, 0000001E.00000002.493824170.0000000001C80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: yu6NsfbmMAuL173.exe, 0000000D.00000002.493511244.0000000001730000.00000002.00000001.sdmp, IbdGY.exe, 0000001E.00000002.493824170.0000000001C80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: yu6NsfbmMAuL173.exe, 0000000D.00000002.493511244.0000000001730000.00000002.00000001.sdmp, IbdGY.exe, 0000001E.00000002.493824170.0000000001C80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Queries volume information: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Queries volume information: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Queries volume information: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\IbdGY\IbdGY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\yu6NsfbmMAuL173.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000000.00000002.299428163.000000000460C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.440787859.0000000003F0C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.494305804.00000000031B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.494549176.0000000002DB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.433247429.0000000003D0C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.489364201.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.489406446.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.298037958.0000000004139000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IbdGY.exe PID: 3152, type: MEMORY
Source: Yara match	File source: Process Memory Space: yu6NsfbmMAuL173.exe PID: 4340, type: MEMORY
Source: Yara match	File source: Process Memory Space: IbdGY.exe PID: 2772, type: MEMORY
Source: Yara match	File source: Process Memory Space: IbdGY.exe PID: 6552, type: MEMORY
Source: Yara match	File source: Process Memory Space: yu6NsfbmMAuL173.exe PID: 6304, type: MEMORY
Source: Yara match	File source: 30.2.IbdGY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.IbdGY.exe.3d433f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.yu6NsfbmMAuL173.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.IbdGY.exe.3f433f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.IbdGY.exe.3f433f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yu6NsfbmMAuL173.exe.46433f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.IbdGY.exe.3d433f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yu6NsfbmMAuL173.exe.46433f0.3.unpack, type: UNPACKEDPE

Yara detected Credential Stealer

Source: Yara match	File source: 0000001E.00000002.494305804.00000000031B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.494549176.0000000002DB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: yu6NsfbmMAuL173.exe PID: 4340, type: MEMORY
Source: Yara match	File source: Process Memory Space: IbdGY.exe PID: 2772, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000000.00000002.299428163.000000000460C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.440787859.0000000003F0C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.494305804.00000000031B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.494549176.0000000002DB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.433247429.0000000003D0C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.489364201.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.489406446.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.298037958.0000000004139000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: IbdGY.exe PID: 3152, type: MEMORY
Source: Yara match	File source: Process Memory Space: yu6NsfbmMAuL173.exe PID: 4340, type: MEMORY
Source: Yara match	File source: Process Memory Space: IbdGY.exe PID: 2772, type: MEMORY
Source: Yara match	File source: Process Memory Space: IbdGY.exe PID: 6552, type: MEMORY
Source: Yara match	File source: Process Memory Space: yu6NsfbmMAuL173.exe PID: 6304, type: MEMORY
Source: Yara match	File source: 30.2.IbdGY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.IbdGY.exe.3d433f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.yu6NsfbmMAuL173.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.IbdGY.exe.3f433f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.IbdGY.exe.3f433f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yu6NsfbmMAuL173.exe.46433f0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.IbdGY.exe.3d433f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yu6NsfbmMAuL173.exe.46433f0.3.unpack, type: UNPACKEDPE