Loading ...

Play interactive tourEdit tour

Analysis Report Szallitasi adatok.tar

Overview

General Information

Sample Name:Szallitasi adatok.tar
Analysis ID:383998
MD5:fa2c7acf057d7ecf693cbb13fab9b1b3
SHA1:b67cd39674b6d039e235fbb9cf0272a103afa475
SHA256:1b90e29a9f49905ead7832ff25d7ba91fddeb4827d7c8ca506c6c0b6f96acda7
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • unarchiver.exe (PID: 6880 cmdline: 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\Szallitasi adatok.tar' MD5: DB55139D9DD29F24AE8EA8F0E5606901)
    • 7za.exe (PID: 6916 cmdline: 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s' 'C:\Users\user\Desktop\Szallitasi adatok.tar' MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
      • conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 7008 cmdline: 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 7028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • Szallitasi adatok.exe (PID: 7056 cmdline: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe MD5: C615C5F811E05D5743CE4DD4AFAD4055)
        • Szallitasi adatok.exe (PID: 7104 cmdline: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe MD5: C615C5F811E05D5743CE4DD4AFAD4055)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "torremolinos3@copiplus.esvB&6mnT00r3mol2o17smtp.1and1.es"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.590323403.0000000003481000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000007.00000002.590323403.0000000003481000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000007.00000002.586946181.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000006.00000002.344267324.0000000003FF6000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000006.00000002.343156984.0000000002E03000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.Szallitasi adatok.exe.4086228.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              7.2.Szallitasi adatok.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                6.2.Szallitasi adatok.exe.4086228.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  6.2.Szallitasi adatok.exe.4015208.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                    Sigma Overview

                    No Sigma rule has matched

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: 6.2.Szallitasi adatok.exe.4086228.3.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "torremolinos3@copiplus.esvB&6mnT00r3mol2o17smtp.1and1.es"}
                    Multi AV Scanner detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeReversingLabs: Detection: 18%
                    Machine Learning detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeJoe Sandbox ML: detected
                    Source: 7.2.Szallitasi adatok.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 02EB099Bh
                    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 02EB099Ah
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                    Source: global trafficTCP traffic: 192.168.2.6:49748 -> 212.227.15.158:587
                    Source: Joe Sandbox ViewIP Address: 212.227.15.158 212.227.15.158
                    Source: global trafficTCP traffic: 192.168.2.6:49748 -> 212.227.15.158:587
                    Source: unknownDNS traffic detected: queries for: smtp.1and1.es
                    Source: Szallitasi adatok.exe, 00000007.00000002.590323403.0000000003481000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: Szallitasi adatok.exe, 00000007.00000002.590323403.0000000003481000.00000004.00000001.sdmpString found in binary or memory: http://CpKupV.com
                    Source: Szallitasi adatok.exe, 00000007.00000002.590323403.0000000003481000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                    Source: Szallitasi adatok.exe, 00000007.00000002.595705814.0000000006FA0000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.geotrust.com/GeoTrustRSACA2018.crt0
                    Source: Szallitasi adatok.exe, 00000007.00000002.595705814.0000000006FA0000.00000004.00000001.sdmpString found in binary or memory: http://cdp.geotrust.com/GeoTrustRSACA2018.crl0L
                    Source: Szallitasi adatok.exe, 00000007.00000002.595705814.0000000006FA0000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                    Source: Szallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: Szallitasi adatok.exe, 00000007.00000002.595705814.0000000006FA0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0B
                    Source: Szallitasi adatok.exe, 00000006.00000002.343156984.0000000002E03000.00000004.00000001.sdmp, Szallitasi adatok.exe, 00000006.00000002.343135328.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Szallitasi adatok.exe, 00000006.00000002.343156984.0000000002E03000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
                    Source: Szallitasi adatok.exe, 00000007.00000002.592552943.00000000037DC000.00000004.00000001.sdmpString found in binary or memory: http://smtp.1and1.es
                    Source: Szallitasi adatok.exe, 00000007.00000002.595705814.0000000006FA0000.00000004.00000001.sdmpString found in binary or memory: http://status.geotrust.com0=
                    Source: Szallitasi adatok.exe, 00000007.00000002.590323403.0000000003481000.00000004.00000001.sdmp, Szallitasi adatok.exe, 00000007.00000003.544547709.00000000015E4000.00000004.00000001.sdmpString found in binary or memory: http://wjANZKRbswl5oYyv5U.com
                    Source: Szallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: Szallitasi adatok.exe, 00000006.00000003.329128388.0000000005E61000.00000004.00000001.sdmp, Szallitasi adatok.exe, 00000006.00000003.328833893.0000000005E61000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                    Source: Szallitasi adatok.exe, 00000006.00000003.328759345.0000000005E61000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com.N
                    Source: Szallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: Szallitasi adatok.exe, 00000006.00000003.328833893.0000000005E61000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-u
                    Source: Szallitasi adatok.exe, 00000006.00000003.329128388.0000000005E61000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-u0
                    Source: Szallitasi adatok.exe, 00000006.00000003.329128388.0000000005E61000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comr
                    Source: Szallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: Szallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmp, Szallitasi adatok.exe, 00000006.00000003.334203954.0000000005E62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: Szallitasi adatok.exe, 00000006.00000003.330798629.0000000005E62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                    Source: Szallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: Szallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: Szallitasi adatok.exe, 00000006.00000003.330983935.0000000005E62000.00000004.00000001.sdmp, Szallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: Szallitasi adatok.exe, 00000006.00000003.330590528.0000000005E62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/i
                    Source: Szallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: Szallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: Szallitasi adatok.exe, 00000006.00000003.330822847.0000000005E62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersC
                    Source: Szallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: Szallitasi adatok.exe, 00000006.00000003.330822847.0000000005E62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
                    Source: Szallitasi adatok.exe, 00000006.00000003.331212623.0000000005E62000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers~
                    Source: Szallitasi adatok.exe, 00000006.00000003.341878900.0000000005E3A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comaJ
                    Source: Szallitasi adatok.exe, 00000006.00000003.341878900.0000000005E3A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comasc
                    Source: Szallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                    Source: Szallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: Szallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: Szallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: Szallitasi adatok.exe, 00000006.00000003.328398898.0000000005E5D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cna-e
                    Source: Szallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: Szallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: Szallitasi adatok.exe, 00000006.00000003.328148680.0000000005E5D000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: Szallitasi adatok.exe, 00000006.00000003.328148680.0000000005E5D000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr-e
                    Source: Szallitasi adatok.exe, 00000006.00000003.329656338.0000000005E37000.00000004.00000001.sdmp, Szallitasi adatok.exe, 00000006.00000003.329458297.0000000005E34000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: Szallitasi adatok.exe, 00000006.00000003.329656338.0000000005E37000.00000004.00000001.sdmp, Szallitasi adatok.exe, 00000006.00000003.329810137.0000000005E3A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
                    Source: Szallitasi adatok.exe, 00000006.00000003.329810137.0000000005E3A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/C
                    Source: Szallitasi adatok.exe, 00000006.00000003.329656338.0000000005E37000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/U
                    Source: Szallitasi adatok.exe, 00000006.00000003.329656338.0000000005E37000.00000004.00000001.sdmp, Szallitasi adatok.exe, 00000006.00000003.329810137.0000000005E3A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                    Source: Szallitasi adatok.exe, 00000006.00000003.329656338.0000000005E37000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/J
                    Source: Szallitasi adatok.exe, 00000006.00000003.329810137.0000000005E3A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/n
                    Source: Szallitasi adatok.exe, 00000006.00000003.329656338.0000000005E37000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/nb-n
                    Source: Szallitasi adatok.exe, 00000006.00000003.333277327.0000000005E61000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
                    Source: Szallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: Szallitasi adatok.exe, 00000006.00000003.329984191.0000000005E62000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: Szallitasi adatok.exe, 00000006.00000003.328148680.0000000005E5D000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: Szallitasi adatok.exe, 00000006.00000003.328148680.0000000005E5D000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr.krt-b
                    Source: Szallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                    Source: Szallitasi adatok.exe, 00000006.00000003.329144440.0000000005E61000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comslnt
                    Source: Szallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                    Source: Szallitasi adatok.exe, 00000006.00000003.331404258.0000000005E62000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
                    Source: Szallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: Szallitasi adatok.exe, 00000006.00000003.331404258.0000000005E62000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.derT
                    Source: Szallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: Szallitasi adatok.exe, 00000006.00000003.328730706.0000000005E61000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cna
                    Source: Szallitasi adatok.exe, Szallitasi adatok.exe, 00000007.00000000.340920875.0000000000F82000.00000002.00020000.sdmp, Szallitasi adatok.tarString found in binary or memory: https://dist.nuget.org/win-x86-commandline/latest/nuget.exe
                    Source: Szallitasi adatok.exe, Szallitasi adatok.tarString found in binary or memory: https://github.com/Spegeli/Pokemon-Go-Rocket-API/archive/master.zip
                    Source: Szallitasi adatok.exe, Szallitasi adatok.exe, 00000007.00000000.340920875.0000000000F82000.00000002.00020000.sdmp, Szallitasi adatok.tarString found in binary or memory: https://github.com/d-haxton/HaxtonBot/archive/master.zip
                    Source: Szallitasi adatok.exe, 00000006.00000002.343156984.0000000002E03000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                    Source: Szallitasi adatok.exe, 00000007.00000002.595705814.0000000006FA0000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                    Source: Szallitasi adatok.exe, 00000006.00000002.344267324.0000000003FF6000.00000004.00000001.sdmp, Szallitasi adatok.exe, 00000007.00000002.586946181.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                    Source: Szallitasi adatok.exe, 00000007.00000002.590323403.0000000003481000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                    System Summary:

                    barindex
                    .NET source code contains very large array initializationsShow sources
                    Source: 7.2.Szallitasi adatok.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bEC539FFCu002dC2DEu002d4D49u002d9C7Du002d51A304EDDE69u007d/DB0019FBu002dD56Eu002d4258u002d8DEFu002dF1840779C330.csLarge array initialization: .cctor: array initializer size 11940
                    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 0_2_02EB02A8
                    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 0_2_02EB0299
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 6_2_00A32050
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 6_2_014C94A8
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 6_2_014CDCF4
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 6_2_014CC148
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 6_2_014CE218
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 6_2_014CA748
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 6_2_04E60040
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 6_2_04E62130
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 6_2_04E61C30
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 6_2_04E65AF5
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 6_2_04E654A8
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 6_2_04E654B8
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 6_2_04E60006
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 6_2_04E63007
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 6_2_04E61017
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 6_2_04E63018
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 6_2_04E62120
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 6_2_04E61C21
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 6_2_04E60EE0
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 6_2_04E60ED8
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 7_2_00F82050
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 7_2_017F2020
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 7_2_017FAB70
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 7_2_017F2618
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 7_2_017FC378
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 7_2_01839000
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 7_2_01833800
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 7_2_018377A0
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 7_2_01831AE0
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 7_2_01831108
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 7_2_01838820
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 7_2_0183C7C8
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 7_2_0183A370
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 7_2_0183F204
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 7_2_0183BA50
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 7_2_0188F3C0
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 7_2_0188B7D4
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 7_2_01885D40
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 7_2_01880040
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 7_2_018871F0
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 7_2_0188A740
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 7_2_01889180
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 7_2_01880014
                    Source: Szallitasi adatok.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: Szallitasi adatok.tarBinary or memory string: OriginalFilenameIsByValue.exeD vs Szallitasi adatok.tar
                    Source: Szallitasi adatok.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: 7.2.Szallitasi adatok.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 7.2.Szallitasi adatok.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winTAR@11/4@1/1
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Szallitasi adatok.exe.logJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7028:120:WilError_01
                    Source: C:\Windows\SysWOW64\unarchiver.exeFile created: C:\Users\user\AppData\Local\Temp\mcgybaxf.vdbJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\SysWOW64\unarchiver.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: Szallitasi adatok.exe, 00000006.00000002.343156984.0000000002E03000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
                    Source: Szallitasi adatok.exe, 00000006.00000002.343156984.0000000002E03000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                    Source: Szallitasi adatok.exe, 00000006.00000002.343156984.0000000002E03000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
                    Source: Szallitasi adatok.exe, 00000006.00000002.343156984.0000000002E03000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
                    Source: Szallitasi adatok.exe, 00000006.00000002.343156984.0000000002E03000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                    Source: Szallitasi adatok.exe, 00000006.00000002.343156984.0000000002E03000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                    Source: Szallitasi adatok.exe, 00000006.00000002.343156984.0000000002E03000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                    Source: unknownProcess created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\Szallitasi adatok.tar'
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s' 'C:\Users\user\Desktop\Szallitasi adatok.tar'
                    Source: C:\Windows\SysWOW64\7za.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe'
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess created: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s' 'C:\Users\user\Desktop\Szallitasi adatok.tar'
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe'
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess created: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 6_2_00A48507 push dword ptr [esi+3Fh]; iretd
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 6_2_00A35683 push es; retf
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 6_2_00A49273 push FFFFFFD9h; iretd
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 7_2_00F98507 push dword ptr [esi+3Fh]; iretd
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 7_2_00F85683 push es; retf
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 7_2_017F7A37 push edi; retn 0000h
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 7_2_018368AB push FFFFFF8Bh; iretd
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 7_2_01836433 pushad ; retf
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 7_2_0183683D push FFFFFF8Bh; iretd
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 7_2_018367C7 push FFFFFF8Bh; iretd
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.53444175386
                    Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion:

                    barindex
                    Yara detected AntiVM3Show sources
                    Source: Yara matchFile source: 00000006.00000002.343156984.0000000002E03000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Szallitasi adatok.exe PID: 7056, type: MEMORY
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                    Source: Szallitasi adatok.exe, 00000006.00000002.343156984.0000000002E03000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: Szallitasi adatok.exe, 00000006.00000002.343156984.0000000002E03000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Windows\SysWOW64\unarchiver.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeWindow / User API: threadDelayed 8291
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeWindow / User API: threadDelayed 1568
                    Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6904Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe TID: 7060Thread sleep time: -99493s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe TID: 7080Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe TID: 7100Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe TID: 5608Thread sleep time: -18446744073709540s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe TID: 6108Thread sleep count: 8291 > 30
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe TID: 6108Thread sleep count: 1568 > 30
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 0_2_0146B042 GetSystemInfo,
                    Source: C:\Windows\SysWOW64\unarchiver.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeThread delayed: delay time: 99493
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeThread delayed: delay time: 922337203685477
                    Source: Szallitasi adatok.exe, 00000006.00000002.343156984.0000000002E03000.00000004.00000001.sdmpBinary or memory string: vmware
                    Source: Szallitasi adatok.exe, 00000007.00000002.595705814.0000000006FA0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM
                    Source: Szallitasi adatok.exe, 00000006.00000002.343156984.0000000002E03000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: Szallitasi adatok.exe, 00000006.00000002.343156984.0000000002E03000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: Szallitasi adatok.exe, 00000006.00000002.343156984.0000000002E03000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                    Source: Szallitasi adatok.exe, 00000006.00000002.343156984.0000000002E03000.00000004.00000001.sdmpBinary or memory string: VMWARE
                    Source: Szallitasi adatok.exe, 00000006.00000002.343156984.0000000002E03000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: Szallitasi adatok.exe, 00000006.00000002.343156984.0000000002E03000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                    Source: Szallitasi adatok.exe, 00000006.00000002.343156984.0000000002E03000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                    Source: Szallitasi adatok.exe, 00000006.00000002.343156984.0000000002E03000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeCode function: 7_2_0183C490 LdrInitializeThunk,
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion:

                    barindex
                    Injects a PE file into a foreign processesShow sources
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeMemory written: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe base: 400000 value starts with: 4D5A
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s' 'C:\Users\user\Desktop\Szallitasi adatok.tar'
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe'
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeProcess created: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe
                    Source: Szallitasi adatok.exe, 00000007.00000002.589689355.0000000001EB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                    Source: Szallitasi adatok.exe, 00000007.00000002.589689355.0000000001EB0000.00000002.00000001.sdmpBinary or memory string: Progman
                    Source: Szallitasi adatok.exe, 00000007.00000002.589689355.0000000001EB0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
                    Source: Szallitasi adatok.exe, 00000007.00000002.589689355.0000000001EB0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Windows\SysWOW64\unarchiver.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 00000007.00000002.590323403.0000000003481000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.586946181.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.344267324.0000000003FF6000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Szallitasi adatok.exe PID: 7104, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Szallitasi adatok.exe PID: 7056, type: MEMORY
                    Source: Yara matchFile source: 6.2.Szallitasi adatok.exe.4086228.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.Szallitasi adatok.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.Szallitasi adatok.exe.4086228.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.Szallitasi adatok.exe.4015208.2.raw.unpack, type: UNPACKEDPE
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)Show sources
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Tries to harvest and steal ftp login credentialsShow sources
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                    Tries to steal Mail credentials (via file access)Show sources
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: Yara matchFile source: 00000007.00000002.590323403.0000000003481000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Szallitasi adatok.exe PID: 7104, type: MEMORY

                    Remote Access Functionality:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 00000007.00000002.590323403.0000000003481000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.586946181.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.344267324.0000000003FF6000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Szallitasi adatok.exe PID: 7104, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Szallitasi adatok.exe PID: 7056, type: MEMORY
                    Source: Yara matchFile source: 6.2.Szallitasi adatok.exe.4086228.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.Szallitasi adatok.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.Szallitasi adatok.exe.4086228.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.Szallitasi adatok.exe.4015208.2.raw.unpack, type: UNPACKEDPE

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Credentials in Registry1Security Software Discovery311Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncSystem Information Discovery115Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 383998 Sample: Szallitasi adatok.tar Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 30 Found malware configuration 2->30 32 Multi AV Scanner detection for dropped file 2->32 34 Yara detected AgentTesla 2->34 36 6 other signatures 2->36 8 unarchiver.exe 5 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 7za.exe 2 8->12         started        file5 15 Szallitasi adatok.exe 3 10->15         started        18 conhost.exe 10->18         started        26 C:\Users\user\...\Szallitasi adatok.exe, PE32 12->26 dropped 20 conhost.exe 12->20         started        process6 signatures7 46 Injects a PE file into a foreign processes 15->46 22 Szallitasi adatok.exe 2 15->22         started        process8 dnsIp9 28 smtp.1and1.es 212.227.15.158, 49748, 587 ONEANDONE-ASBrauerstrasse48DE Germany 22->28 38 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->38 40 Tries to steal Mail credentials (via file access) 22->40 42 Tries to harvest and steal ftp login credentials 22->42 44 Tries to harvest and steal browser information (history, passwords, etc) 22->44 signatures10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    No Antivirus matches

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe19%ReversingLabsWin32.Trojan.AgentTesla

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    7.2.Szallitasi adatok.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://www.carterandcone.comn-u0%URL Reputationsafe
                    http://www.carterandcone.comn-u0%URL Reputationsafe
                    http://www.carterandcone.comn-u0%URL Reputationsafe
                    http://www.carterandcone.comn-u0%URL Reputationsafe
                    http://CpKupV.com0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.goodfont.co.kr-e0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/jp/J0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cna-e0%Avira URL Cloudsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.carterandcone.com0%URL Reputationsafe
                    http://www.carterandcone.com0%URL Reputationsafe
                    http://www.carterandcone.com0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.urwpp.de0%URL Reputationsafe
                    http://www.urwpp.de0%URL Reputationsafe
                    http://www.urwpp.de0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    http://www.fontbureau.comasc0%Avira URL Cloudsafe
                    http://www.sandoll.co.kr.krt-b0%Avira URL Cloudsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/U0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/U0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/U0%URL Reputationsafe
                    http://www.tiro.comslnt0%URL Reputationsafe
                    http://www.tiro.comslnt0%URL Reputationsafe
                    http://www.tiro.comslnt0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    http://www.carterandcone.comr0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/C0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/C0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/C0%URL Reputationsafe
                    http://www.fontbureau.comaJ0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.urwpp.derT0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/nb-n0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.zhongyicts.com.cna0%Avira URL Cloudsafe
                    http://www.monotype.0%URL Reputationsafe
                    http://www.monotype.0%URL Reputationsafe
                    http://www.monotype.0%URL Reputationsafe
                    http://wjANZKRbswl5oYyv5U.com0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/n0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    smtp.1and1.es
                    212.227.15.158
                    truefalse
                      high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1Szallitasi adatok.exe, 00000007.00000002.590323403.0000000003481000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      low
                      http://www.fontbureau.com/designersGSzallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpfalse
                        high
                        http://www.carterandcone.comn-uSzallitasi adatok.exe, 00000006.00000003.328833893.0000000005E61000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.fontbureau.com/designers/?Szallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpfalse
                          high
                          http://CpKupV.comSzallitasi adatok.exe, 00000007.00000002.590323403.0000000003481000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.founder.com.cn/cn/bTheSzallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.goodfont.co.kr-eSzallitasi adatok.exe, 00000006.00000003.328148680.0000000005E5D000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.fontbureau.com/designers?Szallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpfalse
                            high
                            https://dist.nuget.org/win-x86-commandline/latest/nuget.exeSzallitasi adatok.exe, Szallitasi adatok.exe, 00000007.00000000.340920875.0000000000F82000.00000002.00020000.sdmp, Szallitasi adatok.tarfalse
                              high
                              http://www.jiyu-kobo.co.jp/jp/JSzallitasi adatok.exe, 00000006.00000003.329656338.0000000005E37000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://www.fontbureau.com/designersCSzallitasi adatok.exe, 00000006.00000003.330822847.0000000005E62000.00000004.00000001.sdmpfalse
                                high
                                http://www.founder.com.cn/cna-eSzallitasi adatok.exe, 00000006.00000003.328398898.0000000005E5D000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4Szallitasi adatok.exe, 00000006.00000002.343156984.0000000002E03000.00000004.00000001.sdmpfalse
                                  high
                                  http://www.tiro.comSzallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.fontbureau.com/designersSzallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmp, Szallitasi adatok.exe, 00000006.00000003.334203954.0000000005E62000.00000004.00000001.sdmpfalse
                                    high
                                    http://www.goodfont.co.krSzallitasi adatok.exe, 00000006.00000003.328148680.0000000005E5D000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.carterandcone.comSzallitasi adatok.exe, 00000006.00000003.329128388.0000000005E61000.00000004.00000001.sdmp, Szallitasi adatok.exe, 00000006.00000003.328833893.0000000005E61000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.fontbureau.com/designersPSzallitasi adatok.exe, 00000006.00000003.330822847.0000000005E62000.00000004.00000001.sdmpfalse
                                      high
                                      https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssSzallitasi adatok.exe, 00000006.00000002.343156984.0000000002E03000.00000004.00000001.sdmpfalse
                                        high
                                        http://www.sajatypeworks.comSzallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.typography.netDSzallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.founder.com.cn/cn/cTheSzallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.galapagosdesign.com/staff/dennis.htmSzallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://fontfabrik.comSzallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.jiyu-kobo.co.jp//Szallitasi adatok.exe, 00000006.00000003.329656338.0000000005E37000.00000004.00000001.sdmp, Szallitasi adatok.exe, 00000006.00000003.329810137.0000000005E3A000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.galapagosdesign.com/DPleaseSzallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        https://github.com/Spegeli/Pokemon-Go-Rocket-API/archive/master.zipSzallitasi adatok.exe, Szallitasi adatok.tarfalse
                                          high
                                          http://www.fonts.comSzallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpfalse
                                            high
                                            http://www.sandoll.co.krSzallitasi adatok.exe, 00000006.00000003.328148680.0000000005E5D000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            http://www.urwpp.deDPleaseSzallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            http://www.urwpp.deSzallitasi adatok.exe, 00000006.00000003.331404258.0000000005E62000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            http://www.zhongyicts.com.cnSzallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSzallitasi adatok.exe, 00000006.00000002.343156984.0000000002E03000.00000004.00000001.sdmp, Szallitasi adatok.exe, 00000006.00000002.343135328.0000000002DF1000.00000004.00000001.sdmpfalse
                                              high
                                              http://www.sakkal.comSzallitasi adatok.exe, 00000006.00000003.329984191.0000000005E62000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipSzallitasi adatok.exe, 00000006.00000002.344267324.0000000003FF6000.00000004.00000001.sdmp, Szallitasi adatok.exe, 00000007.00000002.586946181.0000000000402000.00000040.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.fontbureau.comascSzallitasi adatok.exe, 00000006.00000003.341878900.0000000005E3A000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.apache.org/licenses/LICENSE-2.0Szallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpfalse
                                                high
                                                http://www.fontbureau.comSzallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpfalse
                                                  high
                                                  http://www.sandoll.co.kr.krt-bSzallitasi adatok.exe, 00000006.00000003.328148680.0000000005E5D000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://DynDns.comDynDNSSzallitasi adatok.exe, 00000007.00000002.590323403.0000000003481000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.jiyu-kobo.co.jp/USzallitasi adatok.exe, 00000006.00000003.329656338.0000000005E37000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.tiro.comslntSzallitasi adatok.exe, 00000006.00000003.329144440.0000000005E61000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haSzallitasi adatok.exe, 00000007.00000002.590323403.0000000003481000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://smtp.1and1.esSzallitasi adatok.exe, 00000007.00000002.592552943.00000000037DC000.00000004.00000001.sdmpfalse
                                                    high
                                                    http://www.fontbureau.com/designers~Szallitasi adatok.exe, 00000006.00000003.331212623.0000000005E62000.00000004.00000001.sdmpfalse
                                                      high
                                                      https://github.com/d-haxton/HaxtonBot/archive/master.zipSzallitasi adatok.exe, Szallitasi adatok.exe, 00000007.00000000.340920875.0000000000F82000.00000002.00020000.sdmp, Szallitasi adatok.tarfalse
                                                        high
                                                        http://www.carterandcone.comrSzallitasi adatok.exe, 00000006.00000003.329128388.0000000005E61000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        http://www.jiyu-kobo.co.jp/CSzallitasi adatok.exe, 00000006.00000003.329810137.0000000005E3A000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.fontbureau.comaJSzallitasi adatok.exe, 00000006.00000003.341878900.0000000005E3A000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        http://www.jiyu-kobo.co.jp/jp/Szallitasi adatok.exe, 00000006.00000003.329656338.0000000005E37000.00000004.00000001.sdmp, Szallitasi adatok.exe, 00000006.00000003.329810137.0000000005E3A000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.carterandcone.comlSzallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://www.urwpp.derTSzallitasi adatok.exe, 00000006.00000003.331404258.0000000005E62000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        http://www.fontbureau.com/designers/cabarga.htmlNSzallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpfalse
                                                          high
                                                          http://www.jiyu-kobo.co.jp/nb-nSzallitasi adatok.exe, 00000006.00000003.329656338.0000000005E37000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          unknown
                                                          http://www.founder.com.cn/cnSzallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          http://www.fontbureau.com/designers/frere-jones.htmlSzallitasi adatok.exe, 00000006.00000003.330983935.0000000005E62000.00000004.00000001.sdmp, Szallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpfalse
                                                            high
                                                            http://www.zhongyicts.com.cnaSzallitasi adatok.exe, 00000006.00000003.328730706.0000000005E61000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            unknown
                                                            http://www.monotype.Szallitasi adatok.exe, 00000006.00000003.333277327.0000000005E61000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://wjANZKRbswl5oYyv5U.comSzallitasi adatok.exe, 00000007.00000002.590323403.0000000003481000.00000004.00000001.sdmp, Szallitasi adatok.exe, 00000007.00000003.544547709.00000000015E4000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            unknown
                                                            http://www.jiyu-kobo.co.jp/Szallitasi adatok.exe, 00000006.00000003.329656338.0000000005E37000.00000004.00000001.sdmp, Szallitasi adatok.exe, 00000006.00000003.329458297.0000000005E34000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.jiyu-kobo.co.jp/nSzallitasi adatok.exe, 00000006.00000003.329810137.0000000005E3A000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.carterandcone.comn-u0Szallitasi adatok.exe, 00000006.00000003.329128388.0000000005E61000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            unknown
                                                            http://www.fontbureau.com/designers8Szallitasi adatok.exe, 00000006.00000002.347842702.0000000007042000.00000004.00000001.sdmpfalse
                                                              high
                                                              http://www.fontbureau.com/designers/iSzallitasi adatok.exe, 00000006.00000003.330590528.0000000005E62000.00000004.00000001.sdmpfalse
                                                                high
                                                                http://www.carterandcone.com.NSzallitasi adatok.exe, 00000006.00000003.328759345.0000000005E61000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                http://www.fontbureau.com/designers/Szallitasi adatok.exe, 00000006.00000003.330798629.0000000005E62000.00000004.00000001.sdmpfalse
                                                                  high

                                                                  Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  212.227.15.158
                                                                  smtp.1and1.esGermany
                                                                  8560ONEANDONE-ASBrauerstrasse48DEfalse

                                                                  General Information

                                                                  Joe Sandbox Version:31.0.0 Emerald
                                                                  Analysis ID:383998
                                                                  Start date:08.04.2021
                                                                  Start time:13:53:46
                                                                  Joe Sandbox Product:CloudBasic
                                                                  Overall analysis duration:0h 9m 32s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:light
                                                                  Sample file name:Szallitasi adatok.tar
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                  Number of analysed new started processes analysed:27
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • HDC enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.spyw.evad.winTAR@11/4@1/1
                                                                  EGA Information:
                                                                  • Successful, ratio: 100%
                                                                  HDC Information:
                                                                  • Successful, ratio: 0.2% (good quality ratio 0%)
                                                                  • Quality average: 14%
                                                                  • Quality standard deviation: 31.3%
                                                                  HCA Information:
                                                                  • Successful, ratio: 100%
                                                                  • Number of executed functions: 0
                                                                  • Number of non-executed functions: 0
                                                                  Cookbook Comments:
                                                                  • Adjust boot time
                                                                  • Enable AMSI
                                                                  • Found application associated with file extension: .tar
                                                                  Warnings:
                                                                  Show All
                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                  • Excluded IPs from analysis (whitelisted): 168.61.161.212, 13.88.21.125, 20.82.210.154, 13.64.90.137, 23.10.249.43, 23.10.249.26, 52.155.217.156, 20.54.26.129, 104.43.139.144, 104.42.151.234, 52.255.188.83, 95.100.54.203
                                                                  • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, prod.fs.microsoft.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  13:54:41API Interceptor778x Sleep call for process: Szallitasi adatok.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                  212.227.15.158Recibo de transferencia de dinero.exeGet hashmaliciousBrowse
                                                                    Geldtransferbeleg.exeGet hashmaliciousBrowse
                                                                      Factur#U0103 pl#U0103tit#U0103.exeGet hashmaliciousBrowse
                                                                        JUSTT1.exeGet hashmaliciousBrowse
                                                                          Facturas pagadas.exeGet hashmaliciousBrowse
                                                                            kjhh087.exeGet hashmaliciousBrowse
                                                                              Facturas pagadas.exeGet hashmaliciousBrowse
                                                                                Facturas_pagadas.exeGet hashmaliciousBrowse
                                                                                  PAG00.exeGet hashmaliciousBrowse
                                                                                    312000123.exeGet hashmaliciousBrowse
                                                                                      TRANF1.exeGet hashmaliciousBrowse
                                                                                        Orden de pago.exeGet hashmaliciousBrowse
                                                                                          Orden de pago.exeGet hashmaliciousBrowse
                                                                                            OrdenPago2.exeGet hashmaliciousBrowse
                                                                                              3d#U044f.exeGet hashmaliciousBrowse
                                                                                                Orden de pago.exeGet hashmaliciousBrowse
                                                                                                  Orden de pago.exeGet hashmaliciousBrowse
                                                                                                    PAP001.exeGet hashmaliciousBrowse
                                                                                                      Fizetesi felszolitas.exeGet hashmaliciousBrowse
                                                                                                        P0.exeGet hashmaliciousBrowse

                                                                                                          Domains

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                          smtp.1and1.esRecibo de transferencia de dinero.exeGet hashmaliciousBrowse
                                                                                                          • 212.227.15.158
                                                                                                          Geldtransferbeleg.exeGet hashmaliciousBrowse
                                                                                                          • 212.227.15.158
                                                                                                          Factur#U0103 pl#U0103tit#U0103.exeGet hashmaliciousBrowse
                                                                                                          • 212.227.15.158
                                                                                                          factura.exeGet hashmaliciousBrowse
                                                                                                          • 212.227.15.142
                                                                                                          JUSTT1.exeGet hashmaliciousBrowse
                                                                                                          • 212.227.15.158
                                                                                                          Facturas pagadas.exeGet hashmaliciousBrowse
                                                                                                          • 212.227.15.158
                                                                                                          kjhh087.exeGet hashmaliciousBrowse
                                                                                                          • 212.227.15.158
                                                                                                          Facturas pagadas.exeGet hashmaliciousBrowse
                                                                                                          • 212.227.15.142
                                                                                                          Facturas pagadas.exeGet hashmaliciousBrowse
                                                                                                          • 212.227.15.158
                                                                                                          Facturas_pagadas.exeGet hashmaliciousBrowse
                                                                                                          • 212.227.15.158
                                                                                                          #U0420#U0430#U0445#U0443#U043d#U043a#U0438 #U043e#U043f#U043b#U0430#U0447#U0435#U043d#U0456.exeGet hashmaliciousBrowse
                                                                                                          • 212.227.15.142
                                                                                                          PAG00.exeGet hashmaliciousBrowse
                                                                                                          • 212.227.15.158
                                                                                                          312000123.exeGet hashmaliciousBrowse
                                                                                                          • 212.227.15.158
                                                                                                          Facturi pl#U0103tite la scaden#U021b#U0103.exeGet hashmaliciousBrowse
                                                                                                          • 212.227.15.142
                                                                                                          TRANF1.exeGet hashmaliciousBrowse
                                                                                                          • 212.227.15.158
                                                                                                          Betalingsadvies Opmerking.exeGet hashmaliciousBrowse
                                                                                                          • 212.227.15.142
                                                                                                          42#U0438.exeGet hashmaliciousBrowse
                                                                                                          • 212.227.15.142
                                                                                                          WYX-09901.exeGet hashmaliciousBrowse
                                                                                                          • 212.227.15.142
                                                                                                          Nota de aviso de pago.exeGet hashmaliciousBrowse
                                                                                                          • 212.227.15.142
                                                                                                          Ordesss.exeGet hashmaliciousBrowse
                                                                                                          • 212.227.15.142

                                                                                                          ASN

                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                          ONEANDONE-ASBrauerstrasse48DEmal5.exeGet hashmaliciousBrowse
                                                                                                          • 74.208.5.15
                                                                                                          invoice.exeGet hashmaliciousBrowse
                                                                                                          • 74.208.236.64
                                                                                                          PO7321.exeGet hashmaliciousBrowse
                                                                                                          • 217.160.0.101
                                                                                                          BL01345678053567.exeGet hashmaliciousBrowse
                                                                                                          • 74.208.236.134
                                                                                                          A409043090.exeGet hashmaliciousBrowse
                                                                                                          • 74.208.5.2
                                                                                                          Old9BZy7jO.dllGet hashmaliciousBrowse
                                                                                                          • 82.223.21.211
                                                                                                          mULT14gGmy.dllGet hashmaliciousBrowse
                                                                                                          • 82.223.21.211
                                                                                                          yWA1Ay0538.dllGet hashmaliciousBrowse
                                                                                                          • 82.223.21.211
                                                                                                          27XuTqKwYF.dllGet hashmaliciousBrowse
                                                                                                          • 82.223.21.211
                                                                                                          Old9BZy7jO.dllGet hashmaliciousBrowse
                                                                                                          • 82.223.21.211
                                                                                                          mULT14gGmy.dllGet hashmaliciousBrowse
                                                                                                          • 82.223.21.211
                                                                                                          JI63JG7EMo.dllGet hashmaliciousBrowse
                                                                                                          • 82.223.21.211
                                                                                                          F7aZDNx6UM.dllGet hashmaliciousBrowse
                                                                                                          • 82.223.21.211
                                                                                                          yWA1Ay0538.dllGet hashmaliciousBrowse
                                                                                                          • 82.223.21.211
                                                                                                          27XuTqKwYF.dllGet hashmaliciousBrowse
                                                                                                          • 82.223.21.211
                                                                                                          NYDhNBQlYM.dllGet hashmaliciousBrowse
                                                                                                          • 82.223.21.211
                                                                                                          ydKCqL4sTG.dllGet hashmaliciousBrowse
                                                                                                          • 82.223.21.211
                                                                                                          F7aZDNx6UM.dllGet hashmaliciousBrowse
                                                                                                          • 82.223.21.211
                                                                                                          JI63JG7EMo.dllGet hashmaliciousBrowse
                                                                                                          • 82.223.21.211
                                                                                                          TI8E08zJuu.dllGet hashmaliciousBrowse
                                                                                                          • 82.223.21.211

                                                                                                          JA3 Fingerprints

                                                                                                          No context

                                                                                                          Dropped Files

                                                                                                          No context

                                                                                                          Created / dropped Files

                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\unarchiver.exe.log
                                                                                                          Process:C:\Windows\SysWOW64\unarchiver.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):388
                                                                                                          Entropy (8bit):5.2529463157768355
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk7v:MLF20NaL329hJ5g522r0
                                                                                                          MD5:FF3B761A021930205BEC9D7664AE9258
                                                                                                          SHA1:1039D595C6333358D5F7EE5619FE6794E6F5FDB1
                                                                                                          SHA-256:A3517BC4B1E6470905F9A38466318B302186496E8706F1976F1ED76F3E87AF0F
                                                                                                          SHA-512:1E77D09CF965575EF9800B1EE8947A02D98F88DBFA267300330860757A0C7350AF857A2CB7001C49AFF1F5BD1E0AE6E90F643B27054522CADC730DD14BC3DE11
                                                                                                          Malicious:false
                                                                                                          Reputation:moderate, very likely benign file
                                                                                                          Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..
                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Szallitasi adatok.exe.log
                                                                                                          Process:C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1314
                                                                                                          Entropy (8bit):5.350128552078965
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                                                          MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                                                          SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                                                          SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                                                          SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                                                          Malicious:false
                                                                                                          Reputation:high, very likely benign file
                                                                                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                                                          C:\Users\user\AppData\Local\Temp\mcgybaxf.vdb\unarchiver.log
                                                                                                          Process:C:\Windows\SysWOW64\unarchiver.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):1615
                                                                                                          Entropy (8bit):5.10186681558097
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:48:CZVvUG/G3/Gb3/G3/Gpp/G//G3/GpPv/Gb1/Gcv/GP/Gu/GO/Ge/G3/G4/G3/G2a:UzBUQ
                                                                                                          MD5:C4B67CF81A0C227827D36C996CC306DD
                                                                                                          SHA1:9D9E9E32BEFB33BB6B99BF76D54960A7A9E4B8EB
                                                                                                          SHA-256:3027A6AE557DCC0ACC8C324F766CA3E4FC0BC463799EB8D3AA96484988BC882B
                                                                                                          SHA-512:560D400BEB0DDD24875233192A1E50356C96EBE2D8C4993DB0BF1530E73EA570E69B6883CDC155C4996E211E9390CBC358149F069D77B97BFAAF8D6C7972FD64
                                                                                                          Malicious:false
                                                                                                          Reputation:low
                                                                                                          Preview: 04/08/2021 1:54 PM: Unpack: C:\Users\user\Desktop\Szallitasi adatok.tar..04/08/2021 1:54 PM: Tmp dir: C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s..04/08/2021 1:54 PM: Received from standard out: ..04/08/2021 1:54 PM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..04/08/2021 1:54 PM: Received from standard out: ..04/08/2021 1:54 PM: Received from standard out: Scanning the drive for archives:..04/08/2021 1:54 PM: Received from standard out: 1 file, 874496 bytes (854 KiB)..04/08/2021 1:54 PM: Received from standard out: ..04/08/2021 1:54 PM: Received from standard out: Extracting archive: C:\Users\user\Desktop\Szallitasi adatok.tar..04/08/2021 1:54 PM: Received from standard out: --..04/08/2021 1:54 PM: Received from standard out: Path = C:\Users\user\Desktop\Szallitasi adatok.tar..04/08/2021 1:54 PM: Received from standard out: Type = tar..04/08/2021 1:54 PM: Received from standard out: Physical Size = 874496..04/08/20
                                                                                                          C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe
                                                                                                          Process:C:\Windows\SysWOW64\7za.exe
                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):872960
                                                                                                          Entropy (8bit):7.186249660947472
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12288:2RWcIIK2eESLm1OYOtc7t/0t5v3QUynop8O1lDGbT1tB5IKUa/+:20/IVlOYOSUXynof1wt/IE
                                                                                                          MD5:C615C5F811E05D5743CE4DD4AFAD4055
                                                                                                          SHA1:D37B5D2BCCC12CC995B08A9D3200ECF3A7C21D37
                                                                                                          SHA-256:2154D40FF4FC639A9F8CE0208D0F71D75D664FFAF1D92DC6802CE9EE1DC76DB2
                                                                                                          SHA-512:13C828E61E7E9E12096781F4D0567EA402B42E9E01CF6B5B0CAD2A7749B9B4664A23D3F181E398FAB73D4AAB9AE1BD867868D4651636620CACE3F8E30438B6D2
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                          • Antivirus: ReversingLabs, Detection: 19%
                                                                                                          Reputation:low
                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....n`..............P......F.......)... ...@....@.. ....................................@..................................)..O....@...B........................................................................... ............... ..H............text........ ...................... ..`.rsrc....B...@...D..................@..@.reloc...............P..............@..B.................)......H........?..DH.........................................................0............(....( .........(.....o!....*.....................("......(#......($......(%......(&....*N..(....ol...('....*&..((....*.s)........s*........s+........s,........s-........*....0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*.0...........~....o1....+..*.0...........~....o2....+..*.0..<........~.....(3.....,!r...p.....(4...o5...s6............~.....+..*.0......

                                                                                                          Static File Info

                                                                                                          General

                                                                                                          File type:tar archive
                                                                                                          Entropy (8bit):7.17922383389497
                                                                                                          TrID:
                                                                                                            File name:Szallitasi adatok.tar
                                                                                                            File size:874496
                                                                                                            MD5:fa2c7acf057d7ecf693cbb13fab9b1b3
                                                                                                            SHA1:b67cd39674b6d039e235fbb9cf0272a103afa475
                                                                                                            SHA256:1b90e29a9f49905ead7832ff25d7ba91fddeb4827d7c8ca506c6c0b6f96acda7
                                                                                                            SHA512:c0db03c358d2e99f1a801c7fdb7a7155fadca26ac43d0cb76636d2d3962494aedf4cabc6611530138ab67ba40119421ea275c840c2c7a18fc803125a3ca5e981
                                                                                                            SSDEEP:12288:iRWcIIK2eESLm1OYOtc7t/0t5v3QUynop8O1lDGbT1tB5IKUa/+:i0/IVlOYOSUXynof1wt/IE
                                                                                                            File Content Preview:Szallitasi adatok.exe...............................................................................0000755.0000000.0000000.00003251000.14033527302.0010636.0..................................................................................................

                                                                                                            File Icon

                                                                                                            Icon Hash:00828e8e8686b000

                                                                                                            Network Behavior

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Apr 8, 2021 13:56:24.634834051 CEST49748587192.168.2.6212.227.15.158
                                                                                                            Apr 8, 2021 13:56:24.655982018 CEST58749748212.227.15.158192.168.2.6
                                                                                                            Apr 8, 2021 13:56:24.656105995 CEST49748587192.168.2.6212.227.15.158
                                                                                                            Apr 8, 2021 13:56:24.680350065 CEST58749748212.227.15.158192.168.2.6
                                                                                                            Apr 8, 2021 13:56:24.680680037 CEST49748587192.168.2.6212.227.15.158
                                                                                                            Apr 8, 2021 13:56:24.700917959 CEST58749748212.227.15.158192.168.2.6
                                                                                                            Apr 8, 2021 13:56:24.700939894 CEST58749748212.227.15.158192.168.2.6
                                                                                                            Apr 8, 2021 13:56:24.701294899 CEST49748587192.168.2.6212.227.15.158
                                                                                                            Apr 8, 2021 13:56:24.721739054 CEST58749748212.227.15.158192.168.2.6
                                                                                                            Apr 8, 2021 13:56:24.763144016 CEST49748587192.168.2.6212.227.15.158
                                                                                                            Apr 8, 2021 13:56:24.854901075 CEST49748587192.168.2.6212.227.15.158
                                                                                                            Apr 8, 2021 13:56:24.877895117 CEST58749748212.227.15.158192.168.2.6
                                                                                                            Apr 8, 2021 13:56:24.877954006 CEST58749748212.227.15.158192.168.2.6
                                                                                                            Apr 8, 2021 13:56:24.877990961 CEST58749748212.227.15.158192.168.2.6
                                                                                                            Apr 8, 2021 13:56:24.878241062 CEST49748587192.168.2.6212.227.15.158
                                                                                                            Apr 8, 2021 13:56:24.882872105 CEST49748587192.168.2.6212.227.15.158
                                                                                                            Apr 8, 2021 13:56:24.903430939 CEST58749748212.227.15.158192.168.2.6
                                                                                                            Apr 8, 2021 13:56:24.945874929 CEST49748587192.168.2.6212.227.15.158
                                                                                                            Apr 8, 2021 13:56:25.274348021 CEST49748587192.168.2.6212.227.15.158
                                                                                                            Apr 8, 2021 13:56:25.294574022 CEST58749748212.227.15.158192.168.2.6
                                                                                                            Apr 8, 2021 13:56:25.307136059 CEST49748587192.168.2.6212.227.15.158
                                                                                                            Apr 8, 2021 13:56:25.327366114 CEST58749748212.227.15.158192.168.2.6
                                                                                                            Apr 8, 2021 13:56:25.328071117 CEST49748587192.168.2.6212.227.15.158
                                                                                                            Apr 8, 2021 13:56:25.354927063 CEST58749748212.227.15.158192.168.2.6
                                                                                                            Apr 8, 2021 13:56:25.357798100 CEST49748587192.168.2.6212.227.15.158
                                                                                                            Apr 8, 2021 13:56:25.391242981 CEST58749748212.227.15.158192.168.2.6
                                                                                                            Apr 8, 2021 13:56:25.391863108 CEST49748587192.168.2.6212.227.15.158
                                                                                                            Apr 8, 2021 13:56:25.415335894 CEST58749748212.227.15.158192.168.2.6
                                                                                                            Apr 8, 2021 13:56:25.418555021 CEST49748587192.168.2.6212.227.15.158
                                                                                                            Apr 8, 2021 13:56:25.439104080 CEST58749748212.227.15.158192.168.2.6
                                                                                                            Apr 8, 2021 13:56:25.447356939 CEST49748587192.168.2.6212.227.15.158
                                                                                                            Apr 8, 2021 13:56:25.447470903 CEST49748587192.168.2.6212.227.15.158
                                                                                                            Apr 8, 2021 13:56:25.450865984 CEST49748587192.168.2.6212.227.15.158
                                                                                                            Apr 8, 2021 13:56:25.450938940 CEST49748587192.168.2.6212.227.15.158
                                                                                                            Apr 8, 2021 13:56:25.467780113 CEST58749748212.227.15.158192.168.2.6
                                                                                                            Apr 8, 2021 13:56:25.471020937 CEST58749748212.227.15.158192.168.2.6
                                                                                                            Apr 8, 2021 13:56:25.475791931 CEST58749748212.227.15.158192.168.2.6
                                                                                                            Apr 8, 2021 13:56:25.527986050 CEST49748587192.168.2.6212.227.15.158

                                                                                                            UDP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Apr 8, 2021 13:54:29.310831070 CEST6426753192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:54:29.323438883 CEST53642678.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:54:30.150109053 CEST4944853192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:54:30.162914991 CEST53494488.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:54:58.056195021 CEST6034253192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:54:58.068922043 CEST53603428.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:55:00.362915993 CEST6134653192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:55:00.375672102 CEST53613468.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:55:01.744673014 CEST5177453192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:55:01.764659882 CEST53517748.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:55:15.327439070 CEST5602353192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:55:15.339849949 CEST53560238.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:55:16.030726910 CEST5838453192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:55:16.044173956 CEST53583848.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:55:16.076661110 CEST6026153192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:55:16.090249062 CEST53602618.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:55:16.503767014 CEST5606153192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:55:16.516599894 CEST53560618.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:55:16.855788946 CEST5833653192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:55:16.869081020 CEST53583368.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:55:17.018145084 CEST5378153192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:55:17.046446085 CEST53537818.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:55:17.291961908 CEST5406453192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:55:17.304398060 CEST53540648.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:55:17.742532969 CEST5281153192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:55:17.756438971 CEST53528118.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:55:17.772445917 CEST5529953192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:55:17.791837931 CEST53552998.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:55:18.222578049 CEST6374553192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:55:18.235402107 CEST53637458.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:55:18.547561884 CEST5005553192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:55:18.560071945 CEST53500558.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:55:19.110074997 CEST6137453192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:55:19.123141050 CEST53613748.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:55:20.157962084 CEST5033953192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:55:20.170722961 CEST53503398.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:55:20.609410048 CEST6330753192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:55:20.621942043 CEST53633078.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:55:24.486260891 CEST4969453192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:55:24.498848915 CEST53496948.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:55:25.246932983 CEST5498253192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:55:25.259480000 CEST53549828.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:55:26.208298922 CEST5001053192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:55:26.221723080 CEST53500108.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:55:27.153976917 CEST6371853192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:55:27.167279959 CEST53637188.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:55:31.936496019 CEST6211653192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:55:31.948426962 CEST53621168.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:55:33.254976988 CEST6381653192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:55:33.281289101 CEST53638168.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:55:35.488033056 CEST5501453192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:55:35.501447916 CEST53550148.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:55:45.156191111 CEST6220853192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:55:45.168934107 CEST53622088.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:55:46.059092999 CEST5757453192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:55:46.072094917 CEST53575748.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:55:48.830485106 CEST5181853192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:55:48.842998981 CEST53518188.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:55:52.643460035 CEST5662853192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:55:52.656511068 CEST53566288.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:55:53.470834970 CEST6077853192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:55:53.484002113 CEST53607788.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:55:54.145735025 CEST5379953192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:55:54.158551931 CEST53537998.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:56:06.882749081 CEST5468353192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:56:06.895538092 CEST53546838.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:56:07.708811045 CEST5932953192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:56:07.727602005 CEST53593298.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:56:08.603001118 CEST6402153192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:56:08.635907888 CEST53640218.8.8.8192.168.2.6
                                                                                                            Apr 8, 2021 13:56:24.476588964 CEST5612953192.168.2.68.8.8.8
                                                                                                            Apr 8, 2021 13:56:24.499018908 CEST53561298.8.8.8192.168.2.6

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                            Apr 8, 2021 13:56:24.476588964 CEST192.168.2.68.8.8.80xb5a0Standard query (0)smtp.1and1.esA (IP address)IN (0x0001)

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                            Apr 8, 2021 13:56:24.499018908 CEST8.8.8.8192.168.2.60xb5a0No error (0)smtp.1and1.es212.227.15.158A (IP address)IN (0x0001)
                                                                                                            Apr 8, 2021 13:56:24.499018908 CEST8.8.8.8192.168.2.60xb5a0No error (0)smtp.1and1.es212.227.15.142A (IP address)IN (0x0001)

                                                                                                            SMTP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                            Apr 8, 2021 13:56:24.680350065 CEST58749748212.227.15.158192.168.2.6220 kundenserver.de (mreue109) Nemesis ESMTP Service ready
                                                                                                            Apr 8, 2021 13:56:24.680680037 CEST49748587192.168.2.6212.227.15.158EHLO 899552
                                                                                                            Apr 8, 2021 13:56:24.700939894 CEST58749748212.227.15.158192.168.2.6250-kundenserver.de Hello 899552 [185.32.222.8]
                                                                                                            250-8BITMIME
                                                                                                            250-AUTH LOGIN PLAIN
                                                                                                            250-SIZE 140000000
                                                                                                            250 STARTTLS
                                                                                                            Apr 8, 2021 13:56:24.701294899 CEST49748587192.168.2.6212.227.15.158STARTTLS
                                                                                                            Apr 8, 2021 13:56:24.721739054 CEST58749748212.227.15.158192.168.2.6220 OK

                                                                                                            Code Manipulations

                                                                                                            Statistics

                                                                                                            Behavior

                                                                                                            Click to jump to process

                                                                                                            System Behavior

                                                                                                            General

                                                                                                            Start time:13:54:32
                                                                                                            Start date:08/04/2021
                                                                                                            Path:C:\Windows\SysWOW64\unarchiver.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\Szallitasi adatok.tar'
                                                                                                            Imagebase:0xb90000
                                                                                                            File size:10240 bytes
                                                                                                            MD5 hash:DB55139D9DD29F24AE8EA8F0E5606901
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                            Reputation:low

                                                                                                            General

                                                                                                            Start time:13:54:33
                                                                                                            Start date:08/04/2021
                                                                                                            Path:C:\Windows\SysWOW64\7za.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s' 'C:\Users\user\Desktop\Szallitasi adatok.tar'
                                                                                                            Imagebase:0x70000
                                                                                                            File size:289792 bytes
                                                                                                            MD5 hash:77E556CDFDC5C592F5C46DB4127C6F4C
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high

                                                                                                            General

                                                                                                            Start time:13:54:33
                                                                                                            Start date:08/04/2021
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff61de10000
                                                                                                            File size:625664 bytes
                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high

                                                                                                            General

                                                                                                            Start time:13:54:34
                                                                                                            Start date:08/04/2021
                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe'
                                                                                                            Imagebase:0x2a0000
                                                                                                            File size:232960 bytes
                                                                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high

                                                                                                            General

                                                                                                            Start time:13:54:34
                                                                                                            Start date:08/04/2021
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff61de10000
                                                                                                            File size:625664 bytes
                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high

                                                                                                            General

                                                                                                            Start time:13:54:35
                                                                                                            Start date:08/04/2021
                                                                                                            Path:C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe
                                                                                                            Imagebase:0xa30000
                                                                                                            File size:872960 bytes
                                                                                                            MD5 hash:C615C5F811E05D5743CE4DD4AFAD4055
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.344267324.0000000003FF6000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000006.00000002.343156984.0000000002E03000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                            • Detection: 19%, ReversingLabs
                                                                                                            Reputation:low

                                                                                                            General

                                                                                                            Start time:13:54:42
                                                                                                            Start date:08/04/2021
                                                                                                            Path:C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Users\user\AppData\Local\Temp\nqvbpsxm.54s\Szallitasi adatok.exe
                                                                                                            Imagebase:0xf80000
                                                                                                            File size:872960 bytes
                                                                                                            MD5 hash:C615C5F811E05D5743CE4DD4AFAD4055
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.590323403.0000000003481000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.590323403.0000000003481000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.586946181.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                            Reputation:low

                                                                                                            Disassembly

                                                                                                            Code Analysis

                                                                                                            Reset < >