Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report u4nCZtpsbeihgbe.exe

Overview

General Information

Sample Name:u4nCZtpsbeihgbe.exe
Analysis ID:358395
MD5:cc5a26619d9ccedd6ee0b4972b08db46
SHA1:e185e3b1c9525d988f2efa32285f46e2d7cd675f
SHA256:926c237123af4acecbbbde443fea178a40983df81beb3e06c656c59684bf370c
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • u4nCZtpsbeihgbe.exe (PID: 5536 cmdline: 'C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe' MD5: CC5A26619D9CCEDD6EE0B4972B08DB46)
  • UTCCf.exe (PID: 6984 cmdline: 'C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe' MD5: CC5A26619D9CCEDD6EE0B4972B08DB46)
    • UTCCf.exe (PID: 4944 cmdline: {path} MD5: CC5A26619D9CCEDD6EE0B4972B08DB46)
  • UTCCf.exe (PID: 7028 cmdline: 'C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe' MD5: CC5A26619D9CCEDD6EE0B4972B08DB46)
    • UTCCf.exe (PID: 3580 cmdline: {path} MD5: CC5A26619D9CCEDD6EE0B4972B08DB46)
    • UTCCf.exe (PID: 1288 cmdline: {path} MD5: CC5A26619D9CCEDD6EE0B4972B08DB46)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "FTP Info": "info@indiaflanges.comdvdxq;nx{(MV5@mmail.indiaflanges.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.279078247.00000000041B9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000006.00000002.488693638.00000000032D1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000006.00000002.488693638.00000000032D1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000012.00000002.430666178.0000000003211000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000012.00000002.430666178.0000000003211000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            15.2.UTCCf.exe.3a4e990.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              6.2.u4nCZtpsbeihgbe.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                16.2.UTCCf.exe.3a8e990.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  18.2.UTCCf.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    16.2.UTCCf.exe.3a8e990.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 4 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 15.2.UTCCf.exe.3a4e990.1.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "FTP Info": "info@indiaflanges.comdvdxq;nx{(MV5@mmail.indiaflanges.com"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeReversingLabs: Detection: 22%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: u4nCZtpsbeihgbe.exeReversingLabs: Detection: 22%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: u4nCZtpsbeihgbe.exeJoe Sandbox ML: detected
                      Source: 6.2.u4nCZtpsbeihgbe.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 18.2.UTCCf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 22.2.UTCCf.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Uses 32bit PE filesShow sources
                      Source: u4nCZtpsbeihgbe.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
                      Source: u4nCZtpsbeihgbe.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.488693638.00000000032D1000.00000004.00000001.sdmp, UTCCf.exe, 00000012.00000002.430666178.0000000003211000.00000004.00000001.sdmp, UTCCf.exe, 00000016.00000002.486344941.0000000003241000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.488693638.00000000032D1000.00000004.00000001.sdmp, u4nCZtpsbeihgbe.exe, 00000006.00000002.491691762.00000000035B6000.00000004.00000001.sdmp, u4nCZtpsbeihgbe.exe, 00000006.00000002.491758882.00000000035BE000.00000004.00000001.sdmpString found in binary or memory: http://5XSOtKxpbh4CX.org
                      Source: UTCCf.exe, 00000016.00000002.486344941.0000000003241000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.491537812.0000000003592000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.496288481.0000000006E69000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.491537812.0000000003592000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.491537812.0000000003592000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                      Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: UTCCf.exe, 00000010.00000002.425351707.0000000000D93000.00000004.00000020.sdmpString found in binary or memory: http://go.mic
                      Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.491537812.0000000003592000.00000004.00000001.sdmpString found in binary or memory: http://indiaflanges.com
                      Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.491537812.0000000003592000.00000004.00000001.sdmpString found in binary or memory: http://mail.indiaflanges.com
                      Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.491537812.0000000003592000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: UTCCf.exe, 00000016.00000002.486344941.0000000003241000.00000004.00000001.sdmpString found in binary or memory: http://rlPXNy.com
                      Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.488693638.00000000032D1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: UTCCf.exe, 00000016.00000002.486344941.0000000003241000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.491537812.0000000003592000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.279078247.00000000041B9000.00000004.00000001.sdmp, u4nCZtpsbeihgbe.exe, 00000006.00000002.479681769.0000000000402000.00000040.00000001.sdmp, UTCCf.exe, 0000000F.00000002.397074520.0000000003939000.00000004.00000001.sdmp, UTCCf.exe, 00000010.00000002.430420899.0000000003979000.00000004.00000001.sdmp, UTCCf.exe, 00000012.00000002.427887862.0000000000402000.00000040.00000001.sdmp, UTCCf.exe, 00000016.00000002.479863596.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.488693638.00000000032D1000.00000004.00000001.sdmp, UTCCf.exe, 00000012.00000002.430666178.0000000003211000.00000004.00000001.sdmp, UTCCf.exe, 00000016.00000002.486344941.0000000003241000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: UTCCf.exe, 0000000F.00000002.393131917.0000000000D28000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeWindow created: window name: CLIPBRDWNDCLASS

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 6.2.u4nCZtpsbeihgbe.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE5200965u002d7E04u002d4669u002dB283u002d124A998C0C6Fu007d/u0034DB0973Cu002d71C6u002d4E39u002dAFCBu002d0D7584BBC7A5.csLarge array initialization: .cctor: array initializer size 11928
                      Source: 18.2.UTCCf.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bE5200965u002d7E04u002d4669u002dB283u002d124A998C0C6Fu007d/u0034DB0973Cu002d71C6u002d4E39u002dAFCBu002d0D7584BBC7A5.csLarge array initialization: .cctor: array initializer size 11928
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 1_2_00DB2050
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 1_2_00DBABC3
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 1_2_00DB8AC7
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 1_2_00DB2AEA
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 1_2_00DB9BA3
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 1_2_0178D4DC
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 1_2_077B2E6D
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 1_2_077B06A6
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 1_2_077B6DE0
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 1_2_077B0C32
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 1_2_092AC530
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 1_2_092AA948
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 1_2_092A0040
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 1_2_092A3780
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 1_2_092AC522
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 1_2_092A4969
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 1_2_092A4978
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 1_2_092A4728
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 1_2_00DB2D32
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 6_2_00F19BA3
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 6_2_00F12AEA
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 6_2_00F12050
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 6_2_00F1ABC3
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 6_2_00F18AC7
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 6_2_015F46A0
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 6_2_015F35C4
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 6_2_015F4618
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 6_2_015F5390
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 6_2_015FDA01
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 6_2_01746120
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 6_2_01746858
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 6_2_01745AE8
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 6_2_00F12D32
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 15_2_004D8AC7
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 15_2_004DABC3
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 15_2_004D2050
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 15_2_004D2AEA
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 15_2_004D9BA3
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 15_2_00F4D4DC
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 15_2_06C706A6
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 15_2_06C72E6D
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 15_2_06C70C32
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 15_2_06C76DE0
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 15_2_08290040
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 15_2_0829C530
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 15_2_0829A948
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 15_2_08293780
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 15_2_0829C522
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 15_2_08294969
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 15_2_08294978
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 15_2_082932B0
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 15_2_082966B5
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 15_2_08294728
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 15_2_08294717
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 15_2_004D2D32
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 16_2_00562050
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 16_2_00568AC7
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 16_2_0056ABC3
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 16_2_00569BA3
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 16_2_00562AEA
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 16_2_00D3D4DC
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 16_2_06BD3780
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 16_2_06BDC530
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 16_2_06BD2113
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 16_2_06BD2C30
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 16_2_06BDA948
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 16_2_06BD66B5
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 16_2_06BD4728
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 16_2_06BD4717
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 16_2_06BD4978
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 16_2_06BD4969
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 16_2_00562D32
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 18_2_00B59BA3
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 18_2_00B52AEA
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 18_2_00B52050
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 18_2_00B58AC7
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 18_2_00B5ABC3
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 18_2_015546A0
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 18_2_015545B0
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 18_2_0155DA01
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 18_2_00B52D32
                      Source: u4nCZtpsbeihgbe.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: UTCCf.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: u4nCZtpsbeihgbe.exeBinary or memory string: OriginalFilename vs u4nCZtpsbeihgbe.exe
                      Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.279078247.00000000041B9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenXElHhxtxWCmccBastwMdhHRj.exe4 vs u4nCZtpsbeihgbe.exe
                      Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.275179968.0000000000DB2000.00000002.00020000.sdmpBinary or memory string: OriginalFilename6Q vs u4nCZtpsbeihgbe.exe
                      Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.287818468.0000000009130000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs u4nCZtpsbeihgbe.exe
                      Source: u4nCZtpsbeihgbe.exe, 00000001.00000002.287774249.00000000090C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs u4nCZtpsbeihgbe.exe
                      Source: u4nCZtpsbeihgbe.exeBinary or memory string: OriginalFilename vs u4nCZtpsbeihgbe.exe
                      Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.486634861.0000000001730000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs u4nCZtpsbeihgbe.exe
                      Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.486612263.0000000001720000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs u4nCZtpsbeihgbe.exe
                      Source: u4nCZtpsbeihgbe.exe, 00000006.00000000.274159733.0000000000F12000.00000002.00020000.sdmpBinary or memory string: OriginalFilename6Q vs u4nCZtpsbeihgbe.exe
                      Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.485302007.0000000001619000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs u4nCZtpsbeihgbe.exe
                      Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.479681769.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenXElHhxtxWCmccBastwMdhHRj.exe4 vs u4nCZtpsbeihgbe.exe
                      Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.486700802.0000000001890000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs u4nCZtpsbeihgbe.exe
                      Source: u4nCZtpsbeihgbe.exeBinary or memory string: OriginalFilename6Q vs u4nCZtpsbeihgbe.exe
                      Source: u4nCZtpsbeihgbe.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: u4nCZtpsbeihgbe.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: UTCCf.exe.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 6.2.u4nCZtpsbeihgbe.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 6.2.u4nCZtpsbeihgbe.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 18.2.UTCCf.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 18.2.UTCCf.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@11/4@0/0
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\u4nCZtpsbeihgbe.exe.logJump to behavior
                      Source: u4nCZtpsbeihgbe.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: u4nCZtpsbeihgbe.exeReversingLabs: Detection: 22%
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeFile read: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe 'C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe {path}
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe 'C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe 'C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe {path}
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe {path}
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe {path}
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess created: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe {path}
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe {path}
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe {path}
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe {path}
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: u4nCZtpsbeihgbe.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: u4nCZtpsbeihgbe.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: u4nCZtpsbeihgbe.exe, StudentStudio/MainForm.cs.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.u4nCZtpsbeihgbe.exe.db0000.0.unpack, StudentStudio/MainForm.cs.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.2.u4nCZtpsbeihgbe.exe.db0000.0.unpack, StudentStudio/MainForm.cs.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: UTCCf.exe.6.dr, StudentStudio/MainForm.cs.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 6.0.u4nCZtpsbeihgbe.exe.f10000.0.unpack, StudentStudio/MainForm.cs.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 6.2.u4nCZtpsbeihgbe.exe.f10000.1.unpack, StudentStudio/MainForm.cs.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 15.2.UTCCf.exe.4d0000.0.unpack, StudentStudio/MainForm.cs.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 15.0.UTCCf.exe.4d0000.0.unpack, StudentStudio/MainForm.cs.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 16.0.UTCCf.exe.560000.0.unpack, StudentStudio/MainForm.cs.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 16.2.UTCCf.exe.560000.0.unpack, StudentStudio/MainForm.cs.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 1_2_077B7765 push FFFFFF8Bh; iretd
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 6_2_015FCD51 push esp; iretd
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeCode function: 6_2_0174B53F push edi; retn 0000h
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 15_2_06C77765 push FFFFFF8Bh; iretd
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 15_2_06C71C51 push es; retf
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 16_2_00D38638 push 1400FF8Fh; ret
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeCode function: 18_2_0155CD51 push esp; iretd
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.89057728197
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.89057728197
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeFile created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeJump to dropped file
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run UTCCfJump to behavior
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run UTCCfJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeFile opened: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe:Zone.Identifier read attributes | delete
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeWindow / User API: threadDelayed 2100
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeWindow / User API: threadDelayed 7706
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeWindow / User API: threadDelayed 2771
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeWindow / User API: threadDelayed 5556
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeWindow / User API: threadDelayed 1750
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeWindow / User API: threadDelayed 3929
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe TID: 5920Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe TID: 6796Thread sleep time: -15679732462653109s >= -30000s
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe TID: 6800Thread sleep count: 2100 > 30
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe TID: 6800Thread sleep count: 7706 > 30
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe TID: 6796Thread sleep count: 50 > 30
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe TID: 7012Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe TID: 7048Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe TID: 6312Thread sleep time: -11068046444225724s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe TID: 6316Thread sleep count: 2771 > 30
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe TID: 6316Thread sleep count: 5556 > 30
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe TID: 5044Thread sleep time: -10145709240540247s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe TID: 5024Thread sleep count: 1750 > 30
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe TID: 5024Thread sleep count: 3929 > 30
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeLast function: Thread delayed
                      Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.496258061.0000000006E20000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeMemory written: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeMemory written: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeProcess created: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe {path}
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe {path}
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe {path}
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeProcess created: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe {path}
                      Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.487162320.0000000001CF0000.00000002.00000001.sdmp, UTCCf.exe, 00000016.00000002.485378915.0000000001BD0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.487162320.0000000001CF0000.00000002.00000001.sdmp, UTCCf.exe, 00000016.00000002.485378915.0000000001BD0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.487162320.0000000001CF0000.00000002.00000001.sdmp, UTCCf.exe, 00000016.00000002.485378915.0000000001BD0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: u4nCZtpsbeihgbe.exe, 00000006.00000002.487162320.0000000001CF0000.00000002.00000001.sdmp, UTCCf.exe, 00000016.00000002.485378915.0000000001BD0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeQueries volume information: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeQueries volume information: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeQueries volume information: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeQueries volume information: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\u4nCZtpsbeihgbe.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000001.00000002.279078247.00000000041B9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.488693638.00000000032D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.430666178.0000000003211000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.479863596.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.427887862.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.486344941.0000000003241000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.479681769.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.430420899.0000000003979000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.397074520.0000000003939000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: UTCCf.exe PID: 1288, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: UTCCf.exe PID: 7028, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: u4nCZtpsbeihgbe.exe PID: 5932, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: UTCCf.exe PID: 4944, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: u4nCZtpsbeihgbe.exe PID: 5536, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: UTCCf.exe PID: 6984, type: MEMORY
                      Source: Yara matchFile source: 15.2.UTCCf.exe.3a4e990.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.u4nCZtpsbeihgbe.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.UTCCf.exe.3a8e990.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.UTCCf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.UTCCf.exe.3a8e990.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.u4nCZtpsbeihgbe.exe.42ce990.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.UTCCf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.u4nCZtpsbeihgbe.exe.42ce990.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.UTCCf.exe.3a4e990.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000006.00000002.488693638.00000000032D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.430666178.0000000003211000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.486344941.0000000003241000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: UTCCf.exe PID: 1288, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: u4nCZtpsbeihgbe.exe PID: 5932, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: UTCCf.exe PID: 4944, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000001.00000002.279078247.00000000041B9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.488693638.00000000032D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.430666178.0000000003211000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.479863596.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.427887862.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.486344941.0000000003241000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.479681769.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.430420899.0000000003979000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.397074520.0000000003939000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: UTCCf.exe PID: 1288, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: UTCCf.exe PID: 7028, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: u4nCZtpsbeihgbe.exe PID: 5932, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: UTCCf.exe PID: 4944, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: u4nCZtpsbeihgbe.exe PID: 5536, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: UTCCf.exe PID: 6984, type: MEMORY
                      Source: Yara matchFile source: 15.2.UTCCf.exe.3a4e990.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.u4nCZtpsbeihgbe.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.UTCCf.exe.3a8e990.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.UTCCf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.UTCCf.exe.3a8e990.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.u4nCZtpsbeihgbe.exe.42ce990.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.UTCCf.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.u4nCZtpsbeihgbe.exe.42ce990.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.UTCCf.exe.3a4e990.1.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Registry Run Keys / Startup Folder1Process Injection112Masquerading1Input Capture1Query Registry1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Virtualization/Sandbox Evasion13LSASS MemorySecurity Software Discovery211Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion13SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      u4nCZtpsbeihgbe.exe23%ReversingLabsWin32.Trojan.Pwsx
                      u4nCZtpsbeihgbe.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe23%ReversingLabsWin32.Trojan.Pwsx

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      1.2.u4nCZtpsbeihgbe.exe.47acb28.2.unpack100%AviraHEUR/AGEN.1110362Download File
                      6.2.u4nCZtpsbeihgbe.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      18.2.UTCCf.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      16.2.UTCCf.exe.3f6cb28.2.unpack100%AviraHEUR/AGEN.1110362Download File
                      22.2.UTCCf.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      15.2.UTCCf.exe.3f2cb28.2.unpack100%AviraHEUR/AGEN.1110362Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://rlPXNy.com0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://go.mic0%Avira URL Cloudsafe
                      https://api.ipify.org%$0%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://mail.indiaflanges.com0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://indiaflanges.com0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1u4nCZtpsbeihgbe.exe, 00000006.00000002.488693638.00000000032D1000.00000004.00000001.sdmp, UTCCf.exe, 00000012.00000002.430666178.0000000003211000.00000004.00000001.sdmp, UTCCf.exe, 00000016.00000002.486344941.0000000003241000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.apache.org/licenses/LICENSE-2.0u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.comu4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersGu4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpfalse
                            		high
                            http://DynDns.comDynDNSUTCCf.exe, 00000016.00000002.486344941.0000000003241000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://sectigo.com/CPS0u4nCZtpsbeihgbe.exe, 00000006.00000002.491537812.0000000003592000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/?u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bTheu4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hau4nCZtpsbeihgbe.exe, 00000006.00000002.488693638.00000000032D1000.00000004.00000001.sdmp, UTCCf.exe, 00000012.00000002.430666178.0000000003211000.00000004.00000001.sdmp, UTCCf.exe, 00000016.00000002.486344941.0000000003241000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers?u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpfalse
                                		high
                                http://www.tiro.comUTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://rlPXNy.comUTCCf.exe, 00000016.00000002.486344941.0000000003241000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designersUTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.goodfont.co.kru4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://go.micUTCCf.exe, 00000010.00000002.425351707.0000000000D93000.00000004.00000020.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://api.ipify.org%$u4nCZtpsbeihgbe.exe, 00000006.00000002.488693638.00000000032D1000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://www.carterandcone.comlu4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comu4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDu4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNu4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/cTheu4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmu4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comu4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cnu4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://mail.indiaflanges.comu4nCZtpsbeihgbe.exe, 00000006.00000002.491537812.0000000003592000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-jones.htmlu4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.jiyu-kobo.co.jp/u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/DPleaseu4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers8u4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpfalse
                                        		high
                                        https://api.ipify.org%GETMozilla/5.0UTCCf.exe, 00000016.00000002.486344941.0000000003241000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		low
                                        http://www.fonts.comu4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.sandoll.co.kru4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.urwpp.deDPleaseu4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cnu4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sakkal.comu4nCZtpsbeihgbe.exe, 00000001.00000002.283297190.0000000006180000.00000002.00000001.sdmp, UTCCf.exe, 0000000F.00000002.402213257.0000000005870000.00000002.00000001.sdmp, UTCCf.exe, 00000010.00000002.435534393.0000000005970000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://indiaflanges.comu4nCZtpsbeihgbe.exe, 00000006.00000002.491537812.0000000003592000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipu4nCZtpsbeihgbe.exe, 00000001.00000002.279078247.00000000041B9000.00000004.00000001.sdmp, u4nCZtpsbeihgbe.exe, 00000006.00000002.479681769.0000000000402000.00000040.00000001.sdmp, UTCCf.exe, 0000000F.00000002.397074520.0000000003939000.00000004.00000001.sdmp, UTCCf.exe, 00000010.00000002.430420899.0000000003979000.00000004.00000001.sdmp, UTCCf.exe, 00000012.00000002.427887862.0000000000402000.00000040.00000001.sdmp, UTCCf.exe, 00000016.00000002.479863596.0000000000402000.00000040.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown

                                          Contacted IPs

                                          No contacted IP infos

                                          General Information

                                          Joe Sandbox Version:31.0.0 Emerald
                                          Analysis ID:358395
                                          Start date:25.02.2021
                                          Start time:15:12:25
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 12m 45s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:u4nCZtpsbeihgbe.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:27
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@11/4@0/0
                                          EGA Information:Failed
                                          HDC Information:Failed
                                          HCA Information:
                                          • Successful, ratio: 98%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe
                                          Warnings:
                                          Show All
                                          • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          15:13:28API Interceptor530x Sleep call for process: u4nCZtpsbeihgbe.exe modified
                                          15:14:10AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run UTCCf C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe
                                          15:14:18AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run UTCCf C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe
                                          15:14:22API Interceptor73x Sleep call for process: UTCCf.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          No context

                                          Domains

                                          No context

                                          ASN

                                          No context

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\UTCCf.exe.log
                                          Process:C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.355304211458859
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                          MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                          SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                          SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                          SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                          Malicious:false
                                          Reputation:high, very likely benign file
                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\u4nCZtpsbeihgbe.exe.log
                                          Process:C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.355304211458859
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                          MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                          SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                          SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                          SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                          Malicious:true
                                          Reputation:high, very likely benign file
                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                          C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe
                                          Process:C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):762368
                                          Entropy (8bit):7.401013867361771
                                          Encrypted:false
                                          SSDEEP:12288:eQ/rLIkmDBCbaP32/PXm9K+SnWAruWgbea4ME4:eart8waam9yruWgbb
                                          MD5:CC5A26619D9CCEDD6EE0B4972B08DB46
                                          SHA1:E185E3B1C9525D988F2EFA32285F46E2D7CD675F
                                          SHA-256:926C237123AF4ACECBBBDE443FEA178A40983DF81BEB3E06C656C59684BF370C
                                          SHA-512:359EEDBC230C420A90ECE69E60C66A0339C3E6C0E97D8A62D48DB1ECC2E2C56A1785C2B78DCC3053007F957419F7FB30CBB0E71C159C7E0F64216ACF590E1B3C
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 23%
                                          Reputation:low
                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....u7`..............0.................. ... ....@.. ....................................@.....................................O.... ..`............................................................................ ............... ..H............text........ ...................... ..`.rsrc...`.... ......................@..@.reloc..............................@..B........................H.......d...(............;..(............................................0..l..........~....(......,..r...pr'..p..0(....&...A.{.....o......{....o....&...$..r=..p.o....(....r'..p...(....&.....*........EF.$.....0.............~....(......,..r...pr'..p..0(....&...q.........,..rG..pr'..p...(....&...N.{.....o......{.....o......{....o....&...$..r=..p.o....(....r'..p...(....&.....*........uv.$.....0..h..................,..rG..pr'..p...(....&...A.{.....o......{....o....&...$..r=..p.o.
                                          C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe:Zone.Identifier
                                          Process:C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:modified
                                          Size (bytes):26
                                          Entropy (8bit):3.95006375643621
                                          Encrypted:false
                                          SSDEEP:3:ggPYV:rPYV
                                          MD5:187F488E27DB4AF347237FE461A079AD
                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                          Malicious:true
                                          Reputation:high, very likely benign file
                                          Preview: [ZoneTransfer]....ZoneId=0

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.401013867361771
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:u4nCZtpsbeihgbe.exe
                                          File size:762368
                                          MD5:cc5a26619d9ccedd6ee0b4972b08db46
                                          SHA1:e185e3b1c9525d988f2efa32285f46e2d7cd675f
                                          SHA256:926c237123af4acecbbbde443fea178a40983df81beb3e06c656c59684bf370c
                                          SHA512:359eedbc230c420a90ece69e60c66a0339c3e6c0e97d8a62d48db1ecc2e2c56a1785c2b78dcc3053007f957419f7fb30cbb0e71c159c7e0f64216acf590e1b3c
                                          SSDEEP:12288:eQ/rLIkmDBCbaP32/PXm9K+SnWAruWgbea4ME4:eart8waam9yruWgbb
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....u7`..............0.................. ... ....@.. ....................................@................................

                                          File Icon

                                          Icon Hash:f8c68c0d0d8ec4f8

                                          Static PE Info

                                          General

                                          Entrypoint:0x491c06
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                          Time Stamp:0x603775C6 [Thu Feb 25 10:02:46 2021 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:v4.0.30319
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x91bb40x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x920000x29e60.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xbc0000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000x8fc0c0x8fe00False0.911669879453data7.89057728197IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rsrc0x920000x29e600x2a000False0.118803478423data3.67097779526IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xbc0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_ICON0x922000x1dd9PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                          RT_ICON0x93fec0x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                          RT_ICON0xa48240x94a8data
                                          RT_ICON0xadcdc0x5488data
                                          RT_ICON0xb31740x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 64767, next used block 4282318848
                                          RT_ICON0xb73ac0x25a8data
                                          RT_ICON0xb99640x10a8data
                                          RT_ICON0xbaa1c0x988data
                                          RT_ICON0xbb3b40x468GLS_BINARY_LSB_FIRST
                                          RT_GROUP_ICON0xbb82c0x84data
                                          RT_VERSION0xbb8c00x39edata
                                          RT_MANIFEST0xbbc700x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Version Infos

                                          DescriptionData
                                          Translation0x0000 0x04b0
                                          LegalCopyrightCopyright 2016 (C) gtx 1660 super
                                          Assembly Version2.3.0.13
                                          InternalName6QGT.exe
                                          FileVersion2.3.0.13
                                          CompanyNamegtx 1660 super
                                          LegalTrademarks
                                          CommentsStudent Studio
                                          ProductNameStudent Studio
                                          ProductVersion2.3.0.13
                                          FileDescriptionStudent Studio
                                          OriginalFilename6QGT.exe

                                          Network Behavior

                                          No network behavior found

                                          Code Manipulations

                                          Statistics

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          Analysis Process: u4nCZtpsbeihgbe.exe PID: 5536 Parent PID: 5744

                                          General

                                          Start time:15:13:19
                                          Start date:25/02/2021
                                          Path:C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe'
                                          Imagebase:0xdb0000
                                          File size:762368 bytes
                                          MD5 hash:CC5A26619D9CCEDD6EE0B4972B08DB46
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.279078247.00000000041B9000.00000004.00000001.sdmp, Author: Joe Security
                                          Reputation:low

                                          Analysis Process: u4nCZtpsbeihgbe.exe PID: 5932 Parent PID: 5536

                                          General

                                          Start time:15:13:47
                                          Start date:25/02/2021
                                          Path:C:\Users\user\Desktop\u4nCZtpsbeihgbe.exe
                                          Wow64 process (32bit):true
                                          Commandline:{path}
                                          Imagebase:0xf10000
                                          File size:762368 bytes
                                          MD5 hash:CC5A26619D9CCEDD6EE0B4972B08DB46
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.488693638.00000000032D1000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.488693638.00000000032D1000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.479681769.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          Reputation:low

                                          Analysis Process: UTCCf.exe PID: 6984 Parent PID: 3388

                                          General

                                          Start time:15:14:19
                                          Start date:25/02/2021
                                          Path:C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe'
                                          Imagebase:0x4d0000
                                          File size:762368 bytes
                                          MD5 hash:CC5A26619D9CCEDD6EE0B4972B08DB46
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.397074520.0000000003939000.00000004.00000001.sdmp, Author: Joe Security
                                          Antivirus matches:
                                          • Detection: 100%, Joe Sandbox ML
                                          • Detection: 23%, ReversingLabs
                                          Reputation:low

                                          Analysis Process: UTCCf.exe PID: 7028 Parent PID: 3388

                                          General

                                          Start time:15:14:27
                                          Start date:25/02/2021
                                          Path:C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe'
                                          Imagebase:0x560000
                                          File size:762368 bytes
                                          MD5 hash:CC5A26619D9CCEDD6EE0B4972B08DB46
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.430420899.0000000003979000.00000004.00000001.sdmp, Author: Joe Security
                                          Reputation:low

                                          Analysis Process: UTCCf.exe PID: 4944 Parent PID: 6984

                                          General

                                          Start time:15:14:42
                                          Start date:25/02/2021
                                          Path:C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe
                                          Wow64 process (32bit):true
                                          Commandline:{path}
                                          Imagebase:0xb50000
                                          File size:762368 bytes
                                          MD5 hash:CC5A26619D9CCEDD6EE0B4972B08DB46
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.430666178.0000000003211000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.430666178.0000000003211000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.427887862.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          Reputation:low

                                          Analysis Process: UTCCf.exe PID: 3580 Parent PID: 7028

                                          General

                                          Start time:15:14:56
                                          Start date:25/02/2021
                                          Path:C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe
                                          Wow64 process (32bit):false
                                          Commandline:{path}
                                          Imagebase:0x410000
                                          File size:762368 bytes
                                          MD5 hash:CC5A26619D9CCEDD6EE0B4972B08DB46
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low

                                          Analysis Process: UTCCf.exe PID: 1288 Parent PID: 7028

                                          General

                                          Start time:15:14:56
                                          Start date:25/02/2021
                                          Path:C:\Users\user\AppData\Roaming\UTCCf\UTCCf.exe
                                          Wow64 process (32bit):true
                                          Commandline:{path}
                                          Imagebase:0xe10000
                                          File size:762368 bytes
                                          MD5 hash:CC5A26619D9CCEDD6EE0B4972B08DB46
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000016.00000002.479863596.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000016.00000002.486344941.0000000003241000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000002.486344941.0000000003241000.00000004.00000001.sdmp, Author: Joe Security
                                          Reputation:low

                                          Disassembly

                                          Code Analysis

                                          Reset < >