Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report INV01562.exe

Overview

General Information

Sample Name:INV01562.exe
Analysis ID:356538
MD5:513d86dd42100ea5c41bb0ac562cee55
SHA1:0887972445e88c9628cc46a61b51fa140d5bd675
SHA256:ad2e708430f74c1382ac3d83421e940414f109dbc76a8b4504f152b6ed237670
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • INV01562.exe (PID: 6992 cmdline: 'C:\Users\user\Desktop\INV01562.exe' MD5: 513D86DD42100EA5C41BB0AC562CEE55)
    • schtasks.exe (PID: 4524 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ChpWNEmipxih' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EA8.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • INV01562.exe (PID: 5776 cmdline: {path} MD5: 513D86DD42100EA5C41BB0AC562CEE55)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "=0AZJ26VmdE", "URL: ": "http://ONYvyFrci4NQP.com", "To: ": "", "ByHost: ": "mail.dorreve.com:587", "Password: ": "=0A1pKvEuI", "From: ": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.598365443.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.394452914.00000000041F9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000006.00000002.600806948.0000000002981000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: INV01562.exe PID: 5776JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: INV01562.exe PID: 5776JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.INV01562.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.2.INV01562.exe.434dd98.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                1.2.INV01562.exe.4383fb8.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  1.2.INV01562.exe.434dd98.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    1.2.INV01562.exe.42486e8.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Scheduled temp file as task from temp locationShow sources
                      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ChpWNEmipxih' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EA8.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ChpWNEmipxih' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EA8.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\INV01562.exe' , ParentImage: C:\Users\user\Desktop\INV01562.exe, ParentProcessId: 6992, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ChpWNEmipxih' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EA8.tmp', ProcessId: 4524

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: INV01562.exe.5776.6.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "=0AZJ26VmdE", "URL: ": "http://ONYvyFrci4NQP.com", "To: ": "", "ByHost: ": "mail.dorreve.com:587", "Password: ": "=0A1pKvEuI", "From: ": ""}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\ChpWNEmipxih.exeReversingLabs: Detection: 10%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: INV01562.exeReversingLabs: Detection: 10%
                      Source: 6.2.INV01562.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: INV01562.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: INV01562.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49755 -> 108.163.193.210:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49756 -> 108.163.193.210:587
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorURLs: http://ONYvyFrci4NQP.com
                      Source: INV01562.exe, 00000006.00000002.600806948.0000000002981000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: INV01562.exe, 00000006.00000002.600806948.0000000002981000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: INV01562.exe, 00000006.00000002.602052637.0000000002CA8000.00000004.00000001.sdmpString found in binary or memory: http://ONYvyFrci4NQP.com
                      Source: INV01562.exeString found in binary or memory: http://code.google.com/feeds/p/topicalmemorysystem/downloads/basic.xml
                      Source: INV01562.exeString found in binary or memory: http://code.google.com/p/topicalmemorysystem/
                      Source: INV01562.exe, 00000006.00000002.602377629.0000000002CE9000.00000004.00000001.sdmpString found in binary or memory: http://dorreve.com
                      Source: INV01562.exe, 00000001.00000003.338652353.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://en.w8
                      Source: INV01562.exe, 00000001.00000003.338485825.0000000005F5B000.00000004.00000001.sdmp, INV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: INV01562.exe, 00000006.00000002.600806948.0000000002981000.00000004.00000001.sdmpString found in binary or memory: http://hDXvRr.com
                      Source: INV01562.exe, 00000006.00000002.602377629.0000000002CE9000.00000004.00000001.sdmpString found in binary or memory: http://mail.dorreve.com
                      Source: INV01562.exe, 00000001.00000002.391105435.00000000031F1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: INV01562.exeString found in binary or memory: http://topicalmemorysystem.googlecode.com/files/
                      Source: INV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: INV01562.exe, 00000001.00000003.342976331.0000000005F63000.00000004.00000001.sdmp, INV01562.exe, 00000001.00000003.343052853.0000000005F63000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                      Source: INV01562.exeString found in binary or memory: http://www.biblegateway.com/passage/?search=
                      Source: INV01562.exeString found in binary or memory: http://www.biblija.net/biblija.cgi?m=
                      Source: INV01562.exeString found in binary or memory: http://www.blueletterbible.org/Bible.cfm?b=
                      Source: INV01562.exe, 00000001.00000003.342107270.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: INV01562.exe, 00000001.00000003.341667795.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com$
                      Source: INV01562.exe, 00000001.00000003.341667795.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com-dg
                      Source: INV01562.exe, 00000001.00000003.341667795.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com.
                      Source: INV01562.exe, 00000001.00000003.341947277.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTCO
                      Source: INV01562.exe, 00000001.00000003.341947277.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coma
                      Source: INV01562.exe, 00000001.00000003.341638917.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comd
                      Source: INV01562.exe, 00000001.00000003.341667795.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comde
                      Source: INV01562.exe, 00000001.00000003.341448446.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.come
                      Source: INV01562.exe, 00000001.00000003.341398991.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comeI
                      Source: INV01562.exe, 00000001.00000003.341398991.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comes
                      Source: INV01562.exe, 00000001.00000003.341947277.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comfac
                      Source: INV01562.exe, 00000001.00000003.341714081.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comh
                      Source: INV01562.exe, 00000001.00000003.341398991.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comint
                      Source: INV01562.exe, 00000001.00000003.341589885.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comj
                      Source: INV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: INV01562.exe, 00000001.00000003.341667795.0000000005F5B000.00000004.00000001.sdmp, INV01562.exe, 00000001.00000003.341398991.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
                      Source: INV01562.exe, 00000001.00000003.341448446.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comou
                      Source: INV01562.exeString found in binary or memory: http://www.esvstudybible.org/search?q=
                      Source: INV01562.exeString found in binary or memory: http://www.esvstudybible.org/search?q=Whttp://www.blueletterbible.org/Bible.cfm?b=
                      Source: INV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: INV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmp, INV01562.exe, 00000001.00000003.346822822.0000000005F5B000.00000004.00000001.sdmp, INV01562.exe, 00000001.00000003.346760612.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: INV01562.exe, 00000001.00000003.350835201.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers(
                      Source: INV01562.exe, 00000001.00000003.345109661.0000000005F5E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: INV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: INV01562.exe, 00000001.00000003.346674174.0000000005F7E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                      Source: INV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: INV01562.exe, 00000001.00000003.347987257.0000000005F7E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlo
                      Source: INV01562.exe, 00000001.00000003.346049455.0000000005F7E000.00000004.00000001.sdmp, INV01562.exe, 00000001.00000003.346065205.0000000005F5B000.00000004.00000001.sdmp, INV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: INV01562.exe, 00000001.00000003.346822822.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers5
                      Source: INV01562.exe, 00000001.00000003.346065205.0000000005F5B000.00000004.00000001.sdmp, INV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: INV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: INV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: INV01562.exe, 00000001.00000003.345692898.0000000005F5B000.00000004.00000001.sdmp, INV01562.exe, 00000001.00000003.350835201.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
                      Source: INV01562.exe, 00000001.00000003.345109661.0000000005F5E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersp
                      Source: INV01562.exe, 00000001.00000003.345692898.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerst
                      Source: INV01562.exe, 00000001.00000002.390558833.00000000016A7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comdiao&
                      Source: INV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: INV01562.exe, 00000001.00000003.339834958.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.c
                      Source: INV01562.exe, 00000001.00000003.341667795.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: INV01562.exe, 00000001.00000003.341667795.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn.
                      Source: INV01562.exe, 00000001.00000003.340578674.0000000005F61000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: INV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: INV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: INV01562.exe, 00000001.00000003.340154969.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnhkP
                      Source: INV01562.exe, 00000001.00000003.340486777.0000000005F61000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnicrC
                      Source: INV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: INV01562.exe, 00000001.00000003.348503106.0000000005F5B000.00000004.00000001.sdmp, INV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: INV01562.exe, 00000001.00000003.348503106.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm.
                      Source: INV01562.exe, 00000001.00000003.339834958.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.k
                      Source: INV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: INV01562.exe, 00000001.00000003.339764280.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr-uW
                      Source: INV01562.exe, 00000001.00000003.339764280.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krm
                      Source: INV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: INV01562.exe, 00000001.00000003.344644536.0000000005F5F000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
                      Source: INV01562.exe, 00000001.00000003.346374783.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.1
                      Source: INV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: INV01562.exe, 00000001.00000003.336452994.0000000005F42000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma
                      Source: INV01562.exe, 00000001.00000003.336452994.0000000005F42000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.come
                      Source: INV01562.exe, 00000001.00000003.336452994.0000000005F42000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comj
                      Source: INV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: INV01562.exe, 00000001.00000003.343018648.0000000005F63000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.comT
                      Source: INV01562.exe, 00000001.00000003.339764280.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: INV01562.exe, 00000001.00000003.339764280.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krE
                      Source: INV01562.exe, 00000001.00000003.339566214.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krn-us
                      Source: INV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: INV01562.exe, 00000001.00000003.342012433.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com1
                      Source: INV01562.exe, 00000001.00000003.340922193.0000000005F61000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com8
                      Source: INV01562.exe, 00000001.00000003.342039827.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comic
                      Source: INV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: INV01562.exe, 00000001.00000003.347245535.0000000005F68000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                      Source: INV01562.exe, 00000001.00000003.344961325.0000000005F5E000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de(
                      Source: INV01562.exe, 00000001.00000003.347245535.0000000005F68000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de.j
                      Source: INV01562.exe, 00000001.00000003.344764799.0000000005F5F000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de?
                      Source: INV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: INV01562.exe, 00000001.00000003.345378020.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dey1
                      Source: INV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: INV01562.exe, 00000001.00000003.341269412.0000000005F5E000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnP
                      Source: INV01562.exe, 00000001.00000003.341269412.0000000005F5E000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cneI
                      Source: INV01562.exe, 00000001.00000003.341269412.0000000005F5E000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
                      Source: INV01562.exe, 00000001.00000003.341269412.0000000005F5E000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.b
                      Source: INV01562.exe, 00000001.00000003.341269412.0000000005F5E000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnsk
                      Source: INV01562.exe, 00000006.00000002.600806948.0000000002981000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: INV01562.exe, 00000006.00000002.600806948.0000000002981000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: INV01562.exe, 00000001.00000002.394452914.00000000041F9000.00000004.00000001.sdmp, INV01562.exe, 00000006.00000002.598365443.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: INV01562.exe, 00000006.00000002.600806948.0000000002981000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: C:\Users\user\Desktop\INV01562.exeWindow created: window name: CLIPBRDWNDCLASS

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 6.2.INV01562.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b1F6C6701u002d34B9u002d4345u002d90A4u002dB6F6C9C845F6u007d/C1436BFDu002dFAFDu002d4F86u002d92DAu002dF86FD8442AC9.csLarge array initialization: .cctor: array initializer size 11950
                      Source: C:\Users\user\Desktop\INV01562.exeCode function: 1_2_0167D20C
                      Source: C:\Users\user\Desktop\INV01562.exeCode function: 1_2_0167F2C0
                      Source: C:\Users\user\Desktop\INV01562.exeCode function: 1_2_0167F2D0
                      Source: C:\Users\user\Desktop\INV01562.exeCode function: 1_2_09336010
                      Source: C:\Users\user\Desktop\INV01562.exeCode function: 1_2_093378B1
                      Source: C:\Users\user\Desktop\INV01562.exeCode function: 1_2_093378C0
                      Source: C:\Users\user\Desktop\INV01562.exeCode function: 1_2_09331D7D
                      Source: C:\Users\user\Desktop\INV01562.exeCode function: 1_2_09330006
                      Source: C:\Users\user\Desktop\INV01562.exeCode function: 1_2_09330040
                      Source: C:\Users\user\Desktop\INV01562.exeCode function: 1_2_0933555B
                      Source: C:\Users\user\Desktop\INV01562.exeCode function: 1_2_093355C6
                      Source: C:\Users\user\Desktop\INV01562.exeCode function: 6_2_00D068B0
                      Source: C:\Users\user\Desktop\INV01562.exeCode function: 6_2_00D036A8
                      Source: C:\Users\user\Desktop\INV01562.exeCode function: 6_2_00D0F3D8
                      Source: C:\Users\user\Desktop\INV01562.exeCode function: 6_2_00D05B50
                      Source: C:\Users\user\Desktop\INV01562.exeCode function: 6_2_00D0D898
                      Source: C:\Users\user\Desktop\INV01562.exeCode function: 6_2_027446A0
                      Source: C:\Users\user\Desktop\INV01562.exeCode function: 6_2_027445B0
                      Source: C:\Users\user\Desktop\INV01562.exeCode function: 6_2_05B37540
                      Source: C:\Users\user\Desktop\INV01562.exeCode function: 6_2_05B394F8
                      Source: C:\Users\user\Desktop\INV01562.exeCode function: 6_2_05B36928
                      Source: C:\Users\user\Desktop\INV01562.exeCode function: 6_2_05B36C70
                      Source: INV01562.exe, 00000001.00000002.399368322.00000000079A0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs INV01562.exe
                      Source: INV01562.exe, 00000001.00000002.399722957.0000000008DF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs INV01562.exe
                      Source: INV01562.exe, 00000001.00000002.394452914.00000000041F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBpjccrAFYAOOIEcZSbkHoAEMzlFBSaeonAOhcQT.exe4 vs INV01562.exe
                      Source: INV01562.exe, 00000001.00000002.394452914.00000000041F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNT1ms*YMnDC vs INV01562.exe
                      Source: INV01562.exe, 00000001.00000002.399433412.0000000007A00000.00000002.00000001.sdmpBinary or memory string: originalfilename vs INV01562.exe
                      Source: INV01562.exe, 00000001.00000002.399433412.0000000007A00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs INV01562.exe
                      Source: INV01562.exe, 00000006.00000002.600139709.0000000000D10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs INV01562.exe
                      Source: INV01562.exe, 00000006.00000002.598365443.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameBpjccrAFYAOOIEcZSbkHoAEMzlFBSaeonAOhcQT.exe4 vs INV01562.exe
                      Source: INV01562.exe, 00000006.00000002.600104428.0000000000CF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs INV01562.exe
                      Source: INV01562.exe, 00000006.00000002.599761413.0000000000BDA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs INV01562.exe
                      Source: INV01562.exe, 00000006.00000000.388419314.00000000005EC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNT1ms*YMnDC vs INV01562.exe
                      Source: INV01562.exe, 00000006.00000002.600079703.0000000000CE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs INV01562.exe
                      Source: INV01562.exeBinary or memory string: OriginalFilenameNT1ms*YMnDC vs INV01562.exe
                      Source: INV01562.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: 6.2.INV01562.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 6.2.INV01562.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/3@0/0
                      Source: C:\Users\user\Desktop\INV01562.exeFile created: C:\Users\user\AppData\Roaming\ChpWNEmipxih.exeJump to behavior
                      Source: C:\Users\user\Desktop\INV01562.exeMutant created: \Sessions\1\BaseNamedObjects\DogqitrWxB
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1604:120:WilError_01
                      Source: C:\Users\user\Desktop\INV01562.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8EA8.tmpJump to behavior
                      Source: INV01562.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\INV01562.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\INV01562.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\INV01562.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\INV01562.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\INV01562.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: INV01562.exeReversingLabs: Detection: 10%
                      Source: C:\Users\user\Desktop\INV01562.exeFile read: C:\Users\user\Desktop\INV01562.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\INV01562.exe 'C:\Users\user\Desktop\INV01562.exe'
                      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ChpWNEmipxih' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EA8.tmp'
                      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\Desktop\INV01562.exe {path}
                      Source: C:\Users\user\Desktop\INV01562.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ChpWNEmipxih' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EA8.tmp'
                      Source: C:\Users\user\Desktop\INV01562.exeProcess created: C:\Users\user\Desktop\INV01562.exe {path}
                      Source: C:\Users\user\Desktop\INV01562.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                      Source: C:\Users\user\Desktop\INV01562.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\INV01562.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: INV01562.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: INV01562.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\INV01562.exeCode function: 1_2_09773DC5 push FFFFFF8Bh; iretd
                      Source: C:\Users\user\Desktop\INV01562.exeCode function: 6_2_00D0B597 push edi; retn 0000h
                      Source: C:\Users\user\Desktop\INV01562.exeCode function: 6_2_0274CD51 push esp; iretd
                      Source: C:\Users\user\Desktop\INV01562.exeCode function: 6_2_0274DD26 push FFFFFF8Bh; iretd
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.80837869151
                      Source: initial sampleStatic PE information: section name: .text entropy: 6.80837869151
                      Source: C:\Users\user\Desktop\INV01562.exeFile created: C:\Users\user\AppData\Roaming\ChpWNEmipxih.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ChpWNEmipxih' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EA8.tmp'
                      Source: C:\Users\user\Desktop\INV01562.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\INV01562.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\INV01562.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\INV01562.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: C:\Users\user\Desktop\INV01562.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\INV01562.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\INV01562.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\INV01562.exeWindow / User API: threadDelayed 9524
                      Source: C:\Users\user\Desktop\INV01562.exe TID: 6996Thread sleep time: -30000s >= -30000s
                      Source: C:\Users\user\Desktop\INV01562.exe TID: 7044Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\INV01562.exe TID: 5608Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\INV01562.exe TID: 6228Thread sleep time: -11068046444225724s >= -30000s
                      Source: C:\Users\user\Desktop\INV01562.exe TID: 348Thread sleep count: 338 > 30
                      Source: C:\Users\user\Desktop\INV01562.exe TID: 348Thread sleep count: 9524 > 30
                      Source: C:\Users\user\Desktop\INV01562.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: INV01562.exe, 00000006.00000002.599830619.0000000000C04000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\INV01562.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\INV01562.exeCode function: 6_2_00D00A70 KiUserExceptionDispatcher,KiUserExceptionDispatcher,LdrInitializeThunk,KiUserExceptionDispatcher,
                      Source: C:\Users\user\Desktop\INV01562.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\INV01562.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\INV01562.exeMemory allocated: page read and write | page guard
                      Source: C:\Users\user\Desktop\INV01562.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ChpWNEmipxih' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EA8.tmp'
                      Source: C:\Users\user\Desktop\INV01562.exeProcess created: C:\Users\user\Desktop\INV01562.exe {path}
                      Source: INV01562.exe, 00000006.00000002.600313195.0000000001320000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: INV01562.exe, 00000006.00000002.600313195.0000000001320000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: INV01562.exe, 00000006.00000002.600313195.0000000001320000.00000002.00000001.sdmpBinary or memory string: &Program Manager
                      Source: INV01562.exe, 00000006.00000002.600313195.0000000001320000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Users\user\Desktop\INV01562.exe VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Users\user\Desktop\INV01562.exe VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\INV01562.exeCode function: 6_2_05B35A94 GetUserNameW,
                      Source: C:\Users\user\Desktop\INV01562.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000006.00000002.598365443.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.394452914.00000000041F9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: INV01562.exe PID: 5776, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: INV01562.exe PID: 6992, type: MEMORY
                      Source: Yara matchFile source: 6.2.INV01562.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.INV01562.exe.434dd98.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.INV01562.exe.4383fb8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.INV01562.exe.434dd98.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.INV01562.exe.42486e8.2.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\INV01562.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\INV01562.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\INV01562.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Source: C:\Users\user\Desktop\INV01562.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\INV01562.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\INV01562.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\INV01562.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: C:\Users\user\Desktop\INV01562.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Yara matchFile source: 00000006.00000002.600806948.0000000002981000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: INV01562.exe PID: 5776, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000006.00000002.598365443.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.394452914.00000000041F9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: INV01562.exe PID: 5776, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: INV01562.exe PID: 6992, type: MEMORY
                      Source: Yara matchFile source: 6.2.INV01562.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.INV01562.exe.434dd98.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.INV01562.exe.4383fb8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.INV01562.exe.434dd98.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.INV01562.exe.42486e8.2.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection12Disable or Modify Tools1OS Credential Dumping2Account Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Deobfuscate/Decode Files or Information1Credentials in Registry1File and Directory Discovery1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Security Account ManagerSystem Information Discovery114SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing2NTDSQuery Registry1Distributed Component Object ModelClipboard Data1Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsSecurity Software Discovery221SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion14Cached Domain CredentialsVirtualization/Sandbox Evasion14VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection12DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      INV01562.exe11%ReversingLabsByteCode-MSIL.Trojan.Pwsx

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\ChpWNEmipxih.exe11%ReversingLabsByteCode-MSIL.Trojan.Pwsx

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      6.2.INV01562.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.urwpp.de.j0%Avira URL Cloudsafe
                      http://www.tiro.com80%Avira URL Cloudsafe
                      http://www.carterandcone.comes0%URL Reputationsafe
                      http://www.carterandcone.comes0%URL Reputationsafe
                      http://www.carterandcone.comes0%URL Reputationsafe
                      http://www.carterandcone.comes0%URL Reputationsafe
                      http://www.tiro.com10%Avira URL Cloudsafe
                      http://www.esvstudybible.org/search?q=Whttp://www.blueletterbible.org/Bible.cfm?b=0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.urwpp.dey10%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.urwpp.de(0%Avira URL Cloudsafe
                      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.goodfont.co.krm0%Avira URL Cloudsafe
                      http://www.sandoll.co.krE0%Avira URL Cloudsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.carterandcone.como.0%URL Reputationsafe
                      http://www.carterandcone.como.0%URL Reputationsafe
                      http://www.carterandcone.como.0%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.carterandcone.coma0%URL Reputationsafe
                      http://www.carterandcone.coma0%URL Reputationsafe
                      http://www.carterandcone.coma0%URL Reputationsafe
                      http://www.carterandcone.come0%URL Reputationsafe
                      http://www.carterandcone.come0%URL Reputationsafe
                      http://www.carterandcone.come0%URL Reputationsafe
                      http://www.carterandcone.comd0%URL Reputationsafe
                      http://www.carterandcone.comd0%URL Reputationsafe
                      http://www.carterandcone.comd0%URL Reputationsafe
                      http://www.sakkal.comT0%Avira URL Cloudsafe
                      http://www.zhongyicts.com.cno.b0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.zhongyicts.com.cnsk0%Avira URL Cloudsafe
                      http://www.esvstudybible.org/search?q=0%Avira URL Cloudsafe
                      http://hDXvRr.com0%Avira URL Cloudsafe
                      http://www.carterandcone.comj0%Avira URL Cloudsafe
                      http://www.carterandcone.comh0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cnhkP0%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn.0%Avira URL Cloudsafe
                      http://www.carterandcone.com-dg0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cnicrC0%Avira URL Cloudsafe
                      http://www.monotype.10%Avira URL Cloudsafe
                      http://www.carterandcone.comou0%Avira URL Cloudsafe
                      http://www.zhongyicts.com.cnP0%Avira URL Cloudsafe
                      http://en.w80%Avira URL Cloudsafe
                      http://www.tiro.comic0%URL Reputationsafe
                      http://www.tiro.comic0%URL Reputationsafe
                      http://www.tiro.comic0%URL Reputationsafe
                      http://www.carterandcone.com$0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.carterandcone.comTCO0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm.0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://topicalmemorysystem.googlecode.com/files/0%Avira URL Cloudsafe
                      http://www.carterandcone.com.0%URL Reputationsafe
                      http://www.carterandcone.com.0%URL Reputationsafe
                      http://www.carterandcone.com.0%URL Reputationsafe
                      http://www.zhongyicts.com.cneI0%Avira URL Cloudsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://ONYvyFrci4NQP.comtrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1INV01562.exe, 00000006.00000002.600806948.0000000002981000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.urwpp.de.jINV01562.exe, 00000001.00000003.347245535.0000000005F68000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.tiro.com8INV01562.exe, 00000001.00000003.340922193.0000000005F61000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.carterandcone.comesINV01562.exe, 00000001.00000003.341398991.0000000005F5B000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.tiro.com1INV01562.exe, 00000001.00000003.342012433.0000000005F5B000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.esvstudybible.org/search?q=Whttp://www.blueletterbible.org/Bible.cfm?b=INV01562.exefalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.com/designersINV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmp, INV01562.exe, 00000001.00000003.346822822.0000000005F5B000.00000004.00000001.sdmp, INV01562.exe, 00000001.00000003.346760612.0000000005F5B000.00000004.00000001.sdmpfalse
                        		high
                        http://www.sajatypeworks.comINV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cn/cTheINV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.urwpp.dey1INV01562.exe, 00000001.00000003.345378020.0000000005F5B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.galapagosdesign.com/DPleaseINV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.urwpp.de(INV01562.exe, 00000001.00000003.344961325.0000000005F5E000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.ascendercorp.com/typedesigners.htmlINV01562.exe, 00000001.00000003.342976331.0000000005F63000.00000004.00000001.sdmp, INV01562.exe, 00000001.00000003.343052853.0000000005F63000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.urwpp.deDPleaseINV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.goodfont.co.krmINV01562.exe, 00000001.00000003.339764280.0000000005F5B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.sandoll.co.krEINV01562.exe, 00000001.00000003.339764280.0000000005F5B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.zhongyicts.com.cnINV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameINV01562.exe, 00000001.00000002.391105435.00000000031F1000.00000004.00000001.sdmpfalse
                          		high
                          http://www.carterandcone.como.INV01562.exe, 00000001.00000003.341667795.0000000005F5B000.00000004.00000001.sdmp, INV01562.exe, 00000001.00000003.341398991.0000000005F5B000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://api.ipify.org%INV01562.exe, 00000006.00000002.600806948.0000000002981000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		low
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipINV01562.exe, 00000001.00000002.394452914.00000000041F9000.00000004.00000001.sdmp, INV01562.exe, 00000006.00000002.598365443.0000000000402000.00000040.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.comaINV01562.exe, 00000001.00000003.341947277.0000000005F5B000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.comeINV01562.exe, 00000001.00000003.341448446.0000000005F5B000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.comdINV01562.exe, 00000001.00000003.341638917.0000000005F5B000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.sakkal.comTINV01562.exe, 00000001.00000003.343018648.0000000005F63000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.zhongyicts.com.cno.bINV01562.exe, 00000001.00000003.341269412.0000000005F5E000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haINV01562.exe, 00000006.00000002.600806948.0000000002981000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.zhongyicts.com.cnskINV01562.exe, 00000001.00000003.341269412.0000000005F5E000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.biblegateway.com/passage/?search=INV01562.exefalse
                            		high
                            http://www.esvstudybible.org/search?q=INV01562.exefalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://hDXvRr.comINV01562.exe, 00000006.00000002.600806948.0000000002981000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.carterandcone.comjINV01562.exe, 00000001.00000003.341589885.0000000005F5B000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.carterandcone.comhINV01562.exe, 00000001.00000003.341714081.0000000005F5B000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.founder.com.cn/cnhkPINV01562.exe, 00000001.00000003.340154969.0000000005F5B000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.carterandcone.comlINV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn/INV01562.exe, 00000001.00000003.340578674.0000000005F61000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn.INV01562.exe, 00000001.00000003.341667795.0000000005F5B000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.carterandcone.com-dgINV01562.exe, 00000001.00000003.341667795.0000000005F5B000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designers/frere-jones.htmlINV01562.exe, 00000001.00000003.346049455.0000000005F7E000.00000004.00000001.sdmp, INV01562.exe, 00000001.00000003.346065205.0000000005F5B000.00000004.00000001.sdmp, INV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cnicrCINV01562.exe, 00000001.00000003.340486777.0000000005F61000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.monotype.1INV01562.exe, 00000001.00000003.346374783.0000000005F5B000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              http://www.carterandcone.comouINV01562.exe, 00000001.00000003.341448446.0000000005F5B000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.zhongyicts.com.cnPINV01562.exe, 00000001.00000003.341269412.0000000005F5E000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://en.w8INV01562.exe, 00000001.00000003.338652353.0000000005F5B000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.tiro.comicINV01562.exe, 00000001.00000003.342039827.0000000005F5B000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersGINV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.com/designers/?INV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.carterandcone.com$INV01562.exe, 00000001.00000003.341667795.0000000005F5B000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://www.founder.com.cn/cn/bTheINV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers?INV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.carterandcone.comTCOINV01562.exe, 00000001.00000003.341947277.0000000005F5B000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.tiro.comINV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htm.INV01562.exe, 00000001.00000003.348503106.0000000005F5B000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.goodfont.co.krINV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.comINV01562.exe, 00000001.00000003.342107270.0000000005F5B000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://topicalmemorysystem.googlecode.com/files/INV01562.exefalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designersPINV01562.exe, 00000001.00000003.345692898.0000000005F5B000.00000004.00000001.sdmp, INV01562.exe, 00000001.00000003.350835201.0000000005F5B000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.carterandcone.com.INV01562.exe, 00000001.00000003.341667795.0000000005F5B000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.zhongyicts.com.cneIINV01562.exe, 00000001.00000003.341269412.0000000005F5E000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.typography.netDINV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmINV01562.exe, 00000001.00000003.348503106.0000000005F5B000.00000004.00000001.sdmp, INV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://fontfabrik.comINV01562.exe, 00000001.00000003.338485825.0000000005F5B000.00000004.00000001.sdmp, INV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://dorreve.comINV01562.exe, 00000006.00000002.602377629.0000000002CE9000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.goodfont.co.kr-uWINV01562.exe, 00000001.00000003.339764280.0000000005F5B000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.blueletterbible.org/Bible.cfm?b=INV01562.exefalse
                                        		high
                                        http://www.goodfont.co.kINV01562.exe, 00000001.00000003.339834958.0000000005F5B000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://api.ipify.org%GETMozilla/5.0INV01562.exe, 00000006.00000002.600806948.0000000002981000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		low
                                        http://www.fonts.comINV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krINV01562.exe, 00000001.00000003.339764280.0000000005F5B000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sajatypeworks.comaINV01562.exe, 00000001.00000003.336452994.0000000005F42000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.urwpp.deINV01562.exe, 00000001.00000003.347245535.0000000005F68000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comdiao&INV01562.exe, 00000001.00000002.390558833.00000000016A7000.00000004.00000040.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          http://www.fontbureau.com/designerspINV01562.exe, 00000001.00000003.345109661.0000000005F5E000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.sajatypeworks.comeINV01562.exe, 00000001.00000003.336452994.0000000005F42000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.sakkal.comINV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.sajatypeworks.comjINV01562.exe, 00000001.00000003.336452994.0000000005F42000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.fontbureau.com/designerstINV01562.exe, 00000001.00000003.345692898.0000000005F5B000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.apache.org/licenses/LICENSE-2.0INV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.fontbureau.comINV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://DynDns.comDynDNSINV01562.exe, 00000006.00000002.600806948.0000000002981000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/cabarga.htmloINV01562.exe, 00000001.00000003.347987257.0000000005F7E000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.carterandcone.comfacINV01562.exe, 00000001.00000003.341947277.0000000005F5B000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.founder.com.cINV01562.exe, 00000001.00000003.339834958.0000000005F5B000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://mail.dorreve.comINV01562.exe, 00000006.00000002.602377629.0000000002CE9000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.carterandcone.comeIINV01562.exe, 00000001.00000003.341398991.0000000005F5B000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.carterandcone.comdeINV01562.exe, 00000001.00000003.341667795.0000000005F5B000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.biblija.net/biblija.cgi?m=INV01562.exefalse
                                                      		high
                                                      http://www.urwpp.de?INV01562.exe, 00000001.00000003.344764799.0000000005F5F000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers(INV01562.exe, 00000001.00000003.350835201.0000000005F5B000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.com/designers/cabarga.htmlNINV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.sandoll.co.krn-usINV01562.exe, 00000001.00000003.339566214.0000000005F5B000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.carterandcone.comintINV01562.exe, 00000001.00000003.341398991.0000000005F5B000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.founder.com.cn/cnINV01562.exe, 00000001.00000003.341667795.0000000005F5B000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers/cabarga.htmlINV01562.exe, 00000001.00000003.346674174.0000000005F7E000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.monotype.INV01562.exe, 00000001.00000003.344644536.0000000005F5F000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.jiyu-kobo.co.jp/INV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.zhongyicts.com.cno.INV01562.exe, 00000001.00000003.341269412.0000000005F5E000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers8INV01562.exe, 00000001.00000003.346065205.0000000005F5B000.00000004.00000001.sdmp, INV01562.exe, 00000001.00000002.398391366.0000000006030000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.fontbureau.com/designers/INV01562.exe, 00000001.00000003.345109661.0000000005F5E000.00000004.00000001.sdmpfalse
                                                                		high

                                                                Contacted IPs

                                                                No contacted IP infos

                                                                General Information

                                                                Joe Sandbox Version:31.0.0 Emerald
                                                                Analysis ID:356538
                                                                Start date:23.02.2021
                                                                Start time:09:47:17
                                                                Joe Sandbox Product:CloudBasic
                                                                Overall analysis duration:0h 8m 52s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:light
                                                                Sample file name:INV01562.exe
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                Number of analysed new started processes analysed:21
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • HDC enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Detection:MAL
                                                                Classification:mal100.troj.spyw.evad.winEXE@6/3@0/0
                                                                EGA Information:Failed
                                                                HDC Information:Failed
                                                                HCA Information:
                                                                • Successful, ratio: 96%
                                                                • Number of executed functions: 0
                                                                • Number of non-executed functions: 0
                                                                Cookbook Comments:
                                                                • Adjust boot time
                                                                • Enable AMSI
                                                                • Found application associated with file extension: .exe
                                                                Warnings:
                                                                Show All
                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                09:48:20API Interceptor632x Sleep call for process: INV01562.exe modified

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                No context

                                                                Domains

                                                                No context

                                                                ASN

                                                                No context

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INV01562.exe.log
                                                                Process:C:\Users\user\Desktop\INV01562.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):1216
                                                                Entropy (8bit):5.355304211458859
                                                                Encrypted:false
                                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                Malicious:true
                                                                Reputation:high, very likely benign file
                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                C:\Users\user\AppData\Local\Temp\tmp8EA8.tmp
                                                                Process:C:\Users\user\Desktop\INV01562.exe
                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):1657
                                                                Entropy (8bit):5.160424132139349
                                                                Encrypted:false
                                                                SSDEEP:24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3Rtn:cbha7JlNQV/rydbz9I3YODOLNdq3N
                                                                MD5:A99F8F8D4B10F710A7C50BF776DAEBB3
                                                                SHA1:3EC454B3205EEF3BFF04AEF31F08ADECA6EC23A5
                                                                SHA-256:077F2EDF4808AD47190EA56CB48C3ECE2690D8CC638E323E97524E19F67C7507
                                                                SHA-512:5E3DFBD7761CE6E0395ECE51E0C7853AC2FECF6B834943F19D1D5CDCB665468F6AF1CBD9DD14DB69E961CCCE5417468A08CE1A22CD778356DB27D5A73E1C714C
                                                                Malicious:true
                                                                Reputation:low
                                                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail
                                                                C:\Users\user\AppData\Roaming\ChpWNEmipxih.exe
                                                                Process:C:\Users\user\Desktop\INV01562.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):692224
                                                                Entropy (8bit):6.7992899453917515
                                                                Encrypted:false
                                                                SSDEEP:6144:pxwz1c/OmJxTcAWf9apVgF6rOUsnrhlGqCtttttwgGTyWI+xHvqvvq1FgDYEpF2t:0ZTE2vSvcspOxl7CSUJFxisZ
                                                                MD5:513D86DD42100EA5C41BB0AC562CEE55
                                                                SHA1:0887972445E88C9628CC46A61B51FA140D5BD675
                                                                SHA-256:AD2E708430F74C1382AC3D83421E940414F109DBC76A8B4504F152B6ED237670
                                                                SHA-512:36E8E81C7478CEE9E5860E29711C02D7002D5F77F267EFB3EA134C505E63ACCDDE1D7D069639FB1A0BA1E7300A2644D3FD07C028FA9ADAFE09E55A8761263C95
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 11%
                                                                Reputation:low
                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....K4`..............0.............^.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................@.......H.......,[..x............C..ha.............................................}.....(.......(......{....r...p~/...(....o......{....o....&*..0............r...p(....&......o....&...*...................n..t.....o......{....o....&*.....(.....*~..{....o......{....o....(.....*.0..+.........,..{.......+....,...{....o........( ....*..0............s!...}.........("...s#.....s$...}.....s%...}.....s%...}......{....s&...}.....s'...}.....s%...}.....s%...}.....s(...}.....{....o).....{....o)..

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Entropy (8bit):6.7992899453917515
                                                                TrID:
                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                File name:INV01562.exe
                                                                File size:692224
                                                                MD5:513d86dd42100ea5c41bb0ac562cee55
                                                                SHA1:0887972445e88c9628cc46a61b51fa140d5bd675
                                                                SHA256:ad2e708430f74c1382ac3d83421e940414f109dbc76a8b4504f152b6ed237670
                                                                SHA512:36e8e81c7478cee9e5860e29711c02d7002d5f77f267efb3ea134c505e63accdde1d7d069639fb1a0ba1e7300a2644d3fd07c028fa9adafe09e55a8761263c95
                                                                SSDEEP:6144:pxwz1c/OmJxTcAWf9apVgF6rOUsnrhlGqCtttttwgGTyWI+xHvqvvq1FgDYEpF2t:0ZTE2vSvcspOxl7CSUJFxisZ
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....K4`..............0.............^.... ........@.. ....................................@................................

                                                                File Icon

                                                                Icon Hash:00828e8e8686b000

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x4aa55e
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                Time Stamp:0x60344B99 [Tue Feb 23 00:26:01 2021 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:v4.0.30319
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                Entrypoint Preview

                                                                Instruction
                                                                jmp dword ptr [00402000h]
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xaa50c0x4f.text
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xac0000x5bc.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xae0000xc.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x20000xa85640xa8600False0.630830375371data6.80837869151IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                .rsrc0xac0000x5bc0x600False0.426432291667data4.14245864032IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0xae0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountry
                                                                RT_VERSION0xac0900x32cdata
                                                                RT_MANIFEST0xac3cc0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                Imports

                                                                DLLImport
                                                                mscoree.dll_CorExeMain

                                                                Version Infos

                                                                DescriptionData
                                                                Translation0x0000 0x04b0
                                                                LegalCopyrightCopyright 2016
                                                                Assembly Version1.0.0.0
                                                                InternalNameNT1msMnD.exe
                                                                FileVersion1.0.0.0
                                                                CompanyName
                                                                LegalTrademarks
                                                                Comments
                                                                ProductNameCore.Numero
                                                                ProductVersion1.0.0.0
                                                                FileDescriptionCore.Numero
                                                                OriginalFilenameNT1msMnD.exe

                                                                Network Behavior

                                                                No network behavior found

                                                                Code Manipulations

                                                                Statistics

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                Analysis Process: INV01562.exe PID: 6992 Parent PID: 5956

                                                                General

                                                                Start time:09:48:09
                                                                Start date:23/02/2021
                                                                Path:C:\Users\user\Desktop\INV01562.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Users\user\Desktop\INV01562.exe'
                                                                Imagebase:0xc30000
                                                                File size:692224 bytes
                                                                MD5 hash:513D86DD42100EA5C41BB0AC562CEE55
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Yara matches:
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.394452914.00000000041F9000.00000004.00000001.sdmp, Author: Joe Security
                                                                Reputation:low

                                                                Analysis Process: schtasks.exe PID: 4524 Parent PID: 6992

                                                                General

                                                                Start time:09:48:34
                                                                Start date:23/02/2021
                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ChpWNEmipxih' /XML 'C:\Users\user\AppData\Local\Temp\tmp8EA8.tmp'
                                                                Imagebase:0x11d0000
                                                                File size:185856 bytes
                                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Analysis Process: conhost.exe PID: 1604 Parent PID: 4524

                                                                General

                                                                Start time:09:48:35
                                                                Start date:23/02/2021
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff61de10000
                                                                File size:625664 bytes
                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Analysis Process: INV01562.exe PID: 5776 Parent PID: 6992

                                                                General

                                                                Start time:09:48:35
                                                                Start date:23/02/2021
                                                                Path:C:\Users\user\Desktop\INV01562.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:{path}
                                                                Imagebase:0x540000
                                                                File size:692224 bytes
                                                                MD5 hash:513D86DD42100EA5C41BB0AC562CEE55
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Yara matches:
                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.598365443.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.600806948.0000000002981000.00000004.00000001.sdmp, Author: Joe Security
                                                                Reputation:low

                                                                Disassembly

                                                                Code Analysis

                                                                Reset < >