Loading ...

Play interactive tourEdit tour

Analysis Report zTM9EtIGQK.exe

Overview

General Information

Sample Name:zTM9EtIGQK.exe
Analysis ID:383945
MD5:01158bfc4ce6cb2c5a3cdbf661f13f8b
SHA1:4d18044e5cfa5ebb9b397dd742648db870b1f32a
SHA256:4ee443331bdebfdfffa8f7fe75c1434504a900dc792561390f27c3f9f0c8bc09
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • zTM9EtIGQK.exe (PID: 2996 cmdline: 'C:\Users\user\Desktop\zTM9EtIGQK.exe' MD5: 01158BFC4CE6CB2C5A3CDBF661F13F8B)
    • schtasks.exe (PID: 5852 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VKAeWEikAShZpp' /XML 'C:\Users\user\AppData\Local\Temp\tmp7D9A.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • zTM9EtIGQK.exe (PID: 4864 cmdline: C:\Users\user\Desktop\zTM9EtIGQK.exe MD5: 01158BFC4CE6CB2C5A3CDBF661F13F8B)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "armyscheme3@yandex.combrowse9jasmtp.yandex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.490822445.0000000003051000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000007.00000002.490822445.0000000003051000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000007.00000002.483950823.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          00000000.00000002.262469777.0000000003581000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.zTM9EtIGQK.exe.36231a0.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              7.2.zTM9EtIGQK.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.zTM9EtIGQK.exe.36231a0.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  System Summary:

                  barindex
                  Sigma detected: Scheduled temp file as task from temp locationShow sources
                  Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VKAeWEikAShZpp' /XML 'C:\Users\user\AppData\Local\Temp\tmp7D9A.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VKAeWEikAShZpp' /XML 'C:\Users\user\AppData\Local\Temp\tmp7D9A.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\zTM9EtIGQK.exe' , ParentImage: C:\Users\user\Desktop\zTM9EtIGQK.exe, ParentProcessId: 2996, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VKAeWEikAShZpp' /XML 'C:\Users\user\AppData\Local\Temp\tmp7D9A.tmp', ProcessId: 5852

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Antivirus / Scanner detection for submitted sampleShow sources
                  Source: zTM9EtIGQK.exeAvira: detected
                  Antivirus detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\VKAeWEikAShZpp.exeAvira: detection malicious, Label: HEUR/AGEN.1138557
                  Found malware configurationShow sources
                  Source: 0.2.zTM9EtIGQK.exe.36231a0.2.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "armyscheme3@yandex.combrowse9jasmtp.yandex.com"}
                  Multi AV Scanner detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\VKAeWEikAShZpp.exeReversingLabs: Detection: 35%
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: zTM9EtIGQK.exeVirustotal: Detection: 32%Perma Link
                  Source: zTM9EtIGQK.exeReversingLabs: Detection: 35%
                  Machine Learning detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\VKAeWEikAShZpp.exeJoe Sandbox ML: detected
                  Machine Learning detection for sampleShow sources
                  Source: zTM9EtIGQK.exeJoe Sandbox ML: detected
                  Source: 7.2.zTM9EtIGQK.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: zTM9EtIGQK.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: zTM9EtIGQK.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0E6D1060
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0E6D2FC0
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0E6D2FAF
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0E6D1050
                  Source: zTM9EtIGQK.exe, 00000007.00000002.490822445.0000000003051000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: zTM9EtIGQK.exe, 00000007.00000002.490822445.0000000003051000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: zTM9EtIGQK.exe, 00000007.00000002.490822445.0000000003051000.00000004.00000001.sdmpString found in binary or memory: http://NmvONo.com
                  Source: zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
                  Source: zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
                  Source: zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
                  Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
                  Source: zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
                  Source: zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
                  Source: zTM9EtIGQK.exe, 00000000.00000002.261724513.00000000024C1000.00000004.00000001.sdmp, zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
                  Source: zTM9EtIGQK.exe, 00000007.00000002.494240674.0000000003314000.00000004.00000001.sdmpString found in binary or memory: http://smtp.yandex.com
                  Source: zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
                  Source: zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
                  Source: zTM9EtIGQK.exeString found in binary or memory: http://tempuri.org/GridOneHSDataSet.xsd
                  Source: zTM9EtIGQK.exeString found in binary or memory: http://tempuri.org/HighScoresDataSet.xsd
                  Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmpString found in binary or memory: http://www.certum.pl/CPS0
                  Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: zTM9EtIGQK.exe, 00000000.00000002.261241887.0000000000C07000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comicta
                  Source: zTM9EtIGQK.exe, 00000000.00000002.261241887.0000000000C07000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comm
                  Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: zTM9EtIGQK.exe, 00000000.00000003.219533614.00000000054EB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comHC
                  Source: zTM9EtIGQK.exe, 00000000.00000003.219397829.00000000054EB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com~C
                  Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: zTM9EtIGQK.exe, 00000000.00000003.221443733.00000000054E1000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnE
                  Source: zTM9EtIGQK.exe, 00000000.00000003.221443733.00000000054E1000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
                  Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: zTM9EtIGQK.exe, 00000000.00000003.219814071.00000000054EB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comZC
                  Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: zTM9EtIGQK.exe, 00000000.00000002.267658115.00000000066E2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
                  Source: zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
                  Source: zTM9EtIGQK.exe, 00000007.00000002.490822445.0000000003051000.00000004.00000001.sdmp, zTM9EtIGQK.exe, 00000007.00000002.494359087.0000000003340000.00000004.00000001.sdmpString found in binary or memory: https://K7p4S11uSBScHXT6.com
                  Source: zTM9EtIGQK.exe, 00000007.00000002.490822445.0000000003051000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                  Source: zTM9EtIGQK.exe, 00000007.00000002.490822445.0000000003051000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                  Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                  Source: zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmpString found in binary or memory: https://www.certum.pl/CPS0
                  Source: zTM9EtIGQK.exe, 00000000.00000002.262469777.0000000003581000.00000004.00000001.sdmp, zTM9EtIGQK.exe, 00000007.00000002.483950823.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: zTM9EtIGQK.exe, 00000007.00000002.490822445.0000000003051000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                  System Summary:

                  barindex
                  .NET source code contains very large array initializationsShow sources
                  Source: 7.2.zTM9EtIGQK.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b9BB50ABBu002d997Bu002d49D4u002d96BAu002dB4F190B3376Fu007d/u0036183AC38u002d4AD0u002d4B11u002d886Du002d06E3B37F3CC0.csLarge array initialization: .cctor: array initializer size 11951
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD6EA8 NtQueryInformationProcess,0_2_06DD6EA8
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD6EA0 NtQueryInformationProcess,0_2_06DD6EA0
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_000FA9EA0_2_000FA9EA
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_0235C2B00_2_0235C2B0
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_023599900_2_02359990
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD54C00_2_06DD54C0
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD6C600_2_06DD6C60
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DDC4200_2_06DDC420
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD7A780_2_06DD7A78
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DDCB000_2_06DDCB00
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DDD1300_2_06DDD130
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD86500_2_06DD8650
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD86600_2_06DD8660
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD7FD90_2_06DD7FD9
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD7FE80_2_06DD7FE8
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD57680_2_06DD5768
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD54B00_2_06DD54B0
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD64590_2_06DD6459
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD64680_2_06DD6468
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD5D880_2_06DD5D88
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD7D840_2_06DD7D84
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD2DB00_2_06DD2DB0
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD2DAE0_2_06DD2DAE
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD5D4C0_2_06DD5D4C
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD22580_2_06DD2258
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD7A5B0_2_06DD7A5B
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD22680_2_06DD2268
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD7A1F0_2_06DD7A1F
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD1B880_2_06DD1B88
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD1B780_2_06DD1B78
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD93180_2_06DD9318
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD93080_2_06DD9308
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD08F80_2_06DD08F8
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD20530_2_06DD2053
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD98180_2_06DD9818
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD98070_2_06DD9807
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD20380_2_06DD2038
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD20280_2_06DD2028
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD09080_2_06DD0908
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_0E6D2B880_2_0E6D2B88
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_0E6D18600_2_0E6D1860
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_000FAAC70_2_000FAAC7
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_000FAA540_2_000FAA54
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 7_2_00CEA9EA7_2_00CEA9EA
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 7_2_01432D507_2_01432D50
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 7_2_014320207_2_01432020
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 7_2_0143AB707_2_0143AB70
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 7_2_014326187_2_01432618
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 7_2_0143B1107_2_0143B110
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 7_2_0143D9807_2_0143D980
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 7_2_0143BDBC7_2_0143BDBC
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 7_2_0143EE107_2_0143EE10
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 7_2_02EA46A07_2_02EA46A0
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 7_2_02EA46907_2_02EA4690
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 7_2_02EA46727_2_02EA4672
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 7_2_05B975407_2_05B97540
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 7_2_05B994F87_2_05B994F8
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 7_2_05B96C707_2_05B96C70
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 7_2_05B969287_2_05B96928
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 7_2_00CEAAC77_2_00CEAAC7
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 7_2_00CEAA547_2_00CEAA54
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 7_2_05B9257B7_2_05B9257B
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 7_2_05B926807_2_05B92680
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\VKAeWEikAShZpp.exe 4EE443331BDEBFDFFFA8F7FE75C1434504A900DC792561390F27C3F9F0C8BC09
                  Source: zTM9EtIGQK.exeBinary or memory string: OriginalFilename vs zTM9EtIGQK.exe
                  Source: zTM9EtIGQK.exe, 00000000.00000002.270432002.000000000E3D0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs zTM9EtIGQK.exe
                  Source: zTM9EtIGQK.exe, 00000000.00000002.270432002.000000000E3D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs zTM9EtIGQK.exe
                  Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameZLGbMGFFseWUKMCXRuKzK.exe4 vs zTM9EtIGQK.exe
                  Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll2 vs zTM9EtIGQK.exe
                  Source: zTM9EtIGQK.exe, 00000000.00000002.267978645.0000000006D40000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs zTM9EtIGQK.exe
                  Source: zTM9EtIGQK.exe, 00000000.00000003.258888468.000000000DB66000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFilter.exe4 vs zTM9EtIGQK.exe
                  Source: zTM9EtIGQK.exe, 00000000.00000002.268399680.00000000083F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs zTM9EtIGQK.exe
                  Source: zTM9EtIGQK.exe, 00000000.00000002.269700084.000000000E2D0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs zTM9EtIGQK.exe
                  Source: zTM9EtIGQK.exeBinary or memory string: OriginalFilename vs zTM9EtIGQK.exe
                  Source: zTM9EtIGQK.exe, 00000007.00000000.257991876.0000000000CE2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFilter.exe4 vs zTM9EtIGQK.exe
                  Source: zTM9EtIGQK.exe, 00000007.00000002.483950823.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameZLGbMGFFseWUKMCXRuKzK.exe4 vs zTM9EtIGQK.exe
                  Source: zTM9EtIGQK.exe, 00000007.00000002.498895022.0000000006580000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs zTM9EtIGQK.exe
                  Source: zTM9EtIGQK.exe, 00000007.00000002.489837671.00000000014A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs zTM9EtIGQK.exe
                  Source: zTM9EtIGQK.exeBinary or memory string: OriginalFilenameFilter.exe4 vs zTM9EtIGQK.exe
                  Source: zTM9EtIGQK.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: zTM9EtIGQK.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: VKAeWEikAShZpp.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: 7.2.zTM9EtIGQK.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 7.2.zTM9EtIGQK.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/4@0/0
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeFile created: C:\Users\user\AppData\Roaming\VKAeWEikAShZpp.exeJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_01
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeFile created: C:\Users\user\AppData\Local\Temp\tmp7D9A.tmpJump to behavior
                  Source: zTM9EtIGQK.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
                  Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                  Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
                  Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                  Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                  Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: zTM9EtIGQK.exeVirustotal: Detection: 32%
                  Source: zTM9EtIGQK.exeReversingLabs: Detection: 35%
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeFile read: C:\Users\user\Desktop\zTM9EtIGQK.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\zTM9EtIGQK.exe 'C:\Users\user\Desktop\zTM9EtIGQK.exe'
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VKAeWEikAShZpp' /XML 'C:\Users\user\AppData\Local\Temp\tmp7D9A.tmp'
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess created: C:\Users\user\Desktop\zTM9EtIGQK.exe C:\Users\user\Desktop\zTM9EtIGQK.exe
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VKAeWEikAShZpp' /XML 'C:\Users\user\AppData\Local\Temp\tmp7D9A.tmp'Jump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess created: C:\Users\user\Desktop\zTM9EtIGQK.exe C:\Users\user\Desktop\zTM9EtIGQK.exeJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: zTM9EtIGQK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: zTM9EtIGQK.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 0_2_06DD2D17 push es; ret 0_2_06DD2D18
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 7_2_01437A37 push edi; retn 0000h7_2_01437A39
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 7_2_02EADCCE push 8BF08BFEh; iretd 7_2_02EADCDF
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeCode function: 7_2_02EADD38 push FFFFFF8Bh; iretd 7_2_02EADD3B
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.59937504831
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.59937504831
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeFile created: C:\Users\user\AppData\Roaming\VKAeWEikAShZpp.exeJump to dropped file

                  Boot Survival:

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VKAeWEikAShZpp' /XML 'C:\Users\user\AppData\Local\Temp\tmp7D9A.tmp'
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion:

                  barindex
                  Yara detected AntiVM3Show sources
                  Source: Yara matchFile source: 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: zTM9EtIGQK.exe PID: 2996, type: MEMORY
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeWindow / User API: threadDelayed 3165Jump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeWindow / User API: threadDelayed 6686Jump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exe TID: 968Thread sleep time: -103140s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exe TID: 4772Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exe TID: 6196Thread sleep time: -18446744073709540s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exe TID: 6200Thread sleep count: 3165 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exe TID: 6200Thread sleep count: 6686 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeThread delayed: delay time: 103140Jump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmpBinary or memory string: vmware
                  Source: zTM9EtIGQK.exe, 00000007.00000002.489237236.0000000001385000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllWe
                  Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                  Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmpBinary or memory string: VMWARE
                  Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                  Source: zTM9EtIGQK.exe, 00000000.00000002.261761814.00000000024D3000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Injects a PE file into a foreign processesShow sources
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeMemory written: C:\Users\user\Desktop\zTM9EtIGQK.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VKAeWEikAShZpp' /XML 'C:\Users\user\AppData\Local\Temp\tmp7D9A.tmp'Jump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeProcess created: C:\Users\user\Desktop\zTM9EtIGQK.exe C:\Users\user\Desktop\zTM9EtIGQK.exeJump to behavior
                  Source: zTM9EtIGQK.exe, 00000007.00000002.490377339.0000000001A20000.00000002.00000001.sdmpBinary or memory string: Program Manager
                  Source: zTM9EtIGQK.exe, 00000007.00000002.490377339.0000000001A20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: zTM9EtIGQK.exe, 00000007.00000002.490377339.0000000001A20000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: zTM9EtIGQK.exe, 00000007.00000002.490377339.0000000001A20000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Users\user\Desktop\zTM9EtIGQK.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\zTM9EtIGQK.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation