Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report VJNPltkyHyI3CCo.exe

Overview

General Information

Sample Name:VJNPltkyHyI3CCo.exe
Analysis ID:385435
MD5:36a7049a4f3be8788f0c844319a5364b
SHA1:fbefd649daddd22154920dcae7dc79f8d6a036ff
SHA256:20251c86adaf2dc2cf0513e3dc83e78a768d1b016e0dcd738a0e55d3ba7227c4
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • VJNPltkyHyI3CCo.exe (PID: 1156 cmdline: 'C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe' MD5: 36A7049A4F3BE8788F0C844319A5364B)
    • VJNPltkyHyI3CCo.exe (PID: 748 cmdline: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe MD5: 36A7049A4F3BE8788F0C844319A5364B)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "office4@iykmoreentrprise.orgrwkWCM328mail.iykmoreentrprise.org"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000002.00000002.464818672.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000001.00000002.212559557.000000000465E000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.VJNPltkyHyI3CCo.exe.47c26f0.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.2.VJNPltkyHyI3CCo.exe.47c26f0.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                2.2.VJNPltkyHyI3CCo.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 1.2.VJNPltkyHyI3CCo.exe.47c26f0.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "office4@iykmoreentrprise.orgrwkWCM328mail.iykmoreentrprise.org"}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: VJNPltkyHyI3CCo.exeVirustotal: Detection: 17%Perma Link
                  Source: 2.2.VJNPltkyHyI3CCo.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: VJNPltkyHyI3CCo.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: VJNPltkyHyI3CCo.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                  Source: global trafficTCP traffic: 192.168.2.3:49741 -> 66.70.204.222:587
                  Source: Joe Sandbox ViewIP Address: 66.70.204.222 66.70.204.222
                  Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                  Source: global trafficTCP traffic: 192.168.2.3:49741 -> 66.70.204.222:587
                  Source: unknownDNS traffic detected: queries for: mail.iykmoreentrprise.org
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmpString found in binary or memory: http://A84D2ljcLQUVG1tA.net
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmpString found in binary or memory: http://GTAZqk.com
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.472254348.0000000003338000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.474666607.0000000006420000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.472254348.0000000003338000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.472254348.0000000003338000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.472217023.0000000003330000.00000004.00000001.sdmpString found in binary or memory: http://iykmoreentrprise.org
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.472217023.0000000003330000.00000004.00000001.sdmpString found in binary or memory: http://mail.iykmoreentrprise.org
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.474666607.0000000006420000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.474666607.0000000006420000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.211954442.00000000034C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.211437768.00000000014F7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comF
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.211437768.00000000014F7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comFM
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.211437768.00000000014F7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comttva4
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000003.198143597.000000000646B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000003.200177966.000000000645C000.00000004.00000001.sdmp, VJNPltkyHyI3CCo.exe, 00000001.00000003.199446008.0000000006461000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%(
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212559557.000000000465E000.00000004.00000001.sdmp, VJNPltkyHyI3CCo.exe, 00000002.00000002.464818672.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                  System Summary:

                  barindex
                  .NET source code contains very large array initializationsShow sources
                  Source: 2.2.VJNPltkyHyI3CCo.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b5844D510u002d733Cu002d46BBu002dA6A0u002dC4CA702DE2D5u007d/u00352929DC6u002d28B3u002d4277u002d9F8Bu002d74711A720111.csLarge array initialization: .cctor: array initializer size 11967
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09448B38 NtQueryInformationProcess,
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09448B32 NtQueryInformationProcess,
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_0346DB4C
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_0346C3A0
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_0346E211
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_0346A758
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_07FC25B0
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09440500
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_0944A9C0
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09440F70
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_094477D8
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_0944EA78
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09448E00
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09441E10
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_0944AE38
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_0944BD5F
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_0944BD70
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09449113
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09444520
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09441D28
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09444530
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_0944C9D0
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_094409E0
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_0944ADE2
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_094409F0
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09448DF0
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_0944A9B2
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09445060
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09442C78
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09442401
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_094404F0
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09442C88
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09444091
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_094440A0
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_094480AA
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_094480B0
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09440F60
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09444309
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09444318
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09449BC0
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09444FC1
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_094477C8
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_094437D8
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_094437E8
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09449BB0
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09443E70
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_0944AE28
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09443AE0
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09443E80
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_0944E680
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09447A80
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09447A90
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09442A90
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_01042D50
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_0104ECA8
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_0104AB20
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_01041FE0
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_01042618
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_01049DB8
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_0104C4E8
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_01067D70
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_01066DD8
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_0106B077
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_010620A8
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_01064A10
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_010616C8
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_0106A5A8
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_0106EBB0
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_013C012C
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_013CFB60
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_013CBBE8
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_013C5E48
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_013CBC29
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_013C763B
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_013C76D8
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_014A46A0
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_014A4690
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_014ADA00
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.211180292.0000000000FDE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSpecialNameAttribute.exe: vs VJNPltkyHyI3CCo.exe
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.211954442.00000000034C1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll2 vs VJNPltkyHyI3CCo.exe
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000003.207633242.0000000004777000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs VJNPltkyHyI3CCo.exe
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.216980690.00000000093A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs VJNPltkyHyI3CCo.exe
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212018302.000000000350B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBmbMvfRMlutQbGRrEptzt.exe4 vs VJNPltkyHyI3CCo.exe
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.468839253.00000000013B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs VJNPltkyHyI3CCo.exe
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.465939429.0000000000F88000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs VJNPltkyHyI3CCo.exe
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.465844922.0000000000BDE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSpecialNameAttribute.exe: vs VJNPltkyHyI3CCo.exe
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.468729651.0000000001300000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs VJNPltkyHyI3CCo.exe
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.468885871.00000000013F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs VJNPltkyHyI3CCo.exe
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.464818672.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameBmbMvfRMlutQbGRrEptzt.exe4 vs VJNPltkyHyI3CCo.exe
                  Source: VJNPltkyHyI3CCo.exeBinary or memory string: OriginalFilenameSpecialNameAttribute.exe: vs VJNPltkyHyI3CCo.exe
                  Source: VJNPltkyHyI3CCo.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: VJNPltkyHyI3CCo.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: 2.2.VJNPltkyHyI3CCo.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 2.2.VJNPltkyHyI3CCo.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/1
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VJNPltkyHyI3CCo.exe.logJump to behavior
                  Source: VJNPltkyHyI3CCo.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: VJNPltkyHyI3CCo.exeVirustotal: Detection: 17%
                  Source: unknownProcess created: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe 'C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe'
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess created: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess created: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: VJNPltkyHyI3CCo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: VJNPltkyHyI3CCo.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 1_2_09447DA9 push esi; ret
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_01047A37 push edi; retn 0000h
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.9009190253
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion:

                  barindex
                  Yara detected AntiVM3Show sources
                  Source: Yara matchFile source: 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: VJNPltkyHyI3CCo.exe PID: 1156, type: MEMORY
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeWindow / User API: threadDelayed 3480
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeWindow / User API: threadDelayed 6375
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe TID: 1844Thread sleep time: -100825s >= -30000s
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe TID: 160Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe TID: 5076Thread sleep time: -15679732462653109s >= -30000s
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe TID: 5080Thread sleep count: 3480 > 30
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe TID: 5080Thread sleep count: 6375 > 30
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeThread delayed: delay time: 100825
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeThread delayed: delay time: 922337203685477
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: vmware
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: VMWARE
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                  Source: VJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.468657603.00000000012B0000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeCode function: 2_2_0104E560 LdrInitializeThunk,
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Injects a PE file into a foreign processesShow sources
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeMemory written: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe base: 400000 value starts with: 4D5A
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeProcess created: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.469260289.0000000001A60000.00000002.00000001.sdmpBinary or memory string: Program Manager
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.469260289.0000000001A60000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.469260289.0000000001A60000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: VJNPltkyHyI3CCo.exe, 00000002.00000002.469260289.0000000001A60000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000002.00000002.464818672.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.212559557.000000000465E000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: VJNPltkyHyI3CCo.exe PID: 748, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: VJNPltkyHyI3CCo.exe PID: 1156, type: MEMORY
                  Source: Yara matchFile source: 1.2.VJNPltkyHyI3CCo.exe.47c26f0.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.VJNPltkyHyI3CCo.exe.47c26f0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.VJNPltkyHyI3CCo.exe.400000.0.unpack, type: UNPACKEDPE
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                  Tries to harvest and steal browser information (history, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Tries to harvest and steal ftp login credentialsShow sources
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                  Tries to steal Mail credentials (via file access)Show sources
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Source: C:\Users\user\Desktop\VJNPltkyHyI3CCo.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: Yara matchFile source: 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: VJNPltkyHyI3CCo.exe PID: 748, type: MEMORY

                  Remote Access Functionality:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000002.00000002.464818672.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.212559557.000000000465E000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: VJNPltkyHyI3CCo.exe PID: 748, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: VJNPltkyHyI3CCo.exe PID: 1156, type: MEMORY
                  Source: Yara matchFile source: 1.2.VJNPltkyHyI3CCo.exe.47c26f0.4.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.VJNPltkyHyI3CCo.exe.47c26f0.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.VJNPltkyHyI3CCo.exe.400000.0.unpack, type: UNPACKEDPE

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Credentials in Registry1Security Software Discovery211Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  VJNPltkyHyI3CCo.exe17%VirustotalBrowse

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  2.2.VJNPltkyHyI3CCo.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                  Domains

                  SourceDetectionScannerLabelLink
                  mail.iykmoreentrprise.org1%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                  http://iykmoreentrprise.org0%Avira URL Cloudsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://www.fontbureau.comF0%URL Reputationsafe
                  http://www.fontbureau.comF0%URL Reputationsafe
                  http://www.fontbureau.comF0%URL Reputationsafe
                  http://www.fontbureau.comF0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://cps.letsencrypt.org00%URL Reputationsafe
                  http://cps.letsencrypt.org00%URL Reputationsafe
                  http://cps.letsencrypt.org00%URL Reputationsafe
                  http://cps.letsencrypt.org00%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://api.ipify.org%(0%Avira URL Cloudsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.fontbureau.comFM0%Avira URL Cloudsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://r3.i.lencr.org/00%URL Reputationsafe
                  http://r3.i.lencr.org/00%URL Reputationsafe
                  http://r3.i.lencr.org/00%URL Reputationsafe
                  http://r3.i.lencr.org/00%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://r3.o.lencr.org00%URL Reputationsafe
                  http://r3.o.lencr.org00%URL Reputationsafe
                  http://r3.o.lencr.org00%URL Reputationsafe
                  http://r3.o.lencr.org00%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                  https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                  https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                  https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                  http://GTAZqk.com0%Avira URL Cloudsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://A84D2ljcLQUVG1tA.net0%Avira URL Cloudsafe
                  http://www.fontbureau.comttva40%Avira URL Cloudsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  http://mail.iykmoreentrprise.org0%Avira URL Cloudsafe
                  http://cps.root-x1.letsencrypt.org00%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  iykmoreentrprise.org
                  		66.70.204.222
                  		truetrue
                    		unknown
                    mail.iykmoreentrprise.org
                    		unknown
                    		unknowntrueunknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://127.0.0.1:HTTP/1.1VJNPltkyHyI3CCo.exe, 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://iykmoreentrprise.orgVJNPltkyHyI3CCo.exe, 00000002.00000002.472217023.0000000003330000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.comVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersGVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                          		high
                          http://DynDns.comDynDNSVJNPltkyHyI3CCo.exe, 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.comFVJNPltkyHyI3CCo.exe, 00000001.00000002.211437768.00000000014F7000.00000004.00000040.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/?VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://cps.letsencrypt.org0VJNPltkyHyI3CCo.exe, 00000002.00000002.474666607.0000000006420000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haVJNPltkyHyI3CCo.exe, 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                              		high
                              https://api.ipify.org%(VJNPltkyHyI3CCo.exe, 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              http://www.tiro.comVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                		high
                                http://www.goodfont.co.krVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comFMVJNPltkyHyI3CCo.exe, 00000001.00000002.211437768.00000000014F7000.00000004.00000040.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssVJNPltkyHyI3CCo.exe, 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.carterandcone.comlVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://r3.i.lencr.org/0VJNPltkyHyI3CCo.exe, 00000002.00000002.474666607.0000000006420000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/cTheVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cnVJNPltkyHyI3CCo.exe, 00000001.00000003.200177966.000000000645C000.00000004.00000001.sdmp, VJNPltkyHyI3CCo.exe, 00000001.00000003.199446008.0000000006461000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-jones.htmlVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.jiyu-kobo.co.jp/VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://r3.o.lencr.org0VJNPltkyHyI3CCo.exe, 00000002.00000002.474666607.0000000006420000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/DPleaseVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers8VJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                        		high
                                        https://api.ipify.org%GETMozilla/5.0VJNPltkyHyI3CCo.exe, 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		low
                                        http://GTAZqk.comVJNPltkyHyI3CCo.exe, 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fonts.comVJNPltkyHyI3CCo.exe, 00000001.00000003.198143597.000000000646B000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.urwpp.deDPleaseVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cnVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://A84D2ljcLQUVG1tA.netVJNPltkyHyI3CCo.exe, 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameVJNPltkyHyI3CCo.exe, 00000001.00000002.211954442.00000000034C1000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.comttva4VJNPltkyHyI3CCo.exe, 00000001.00000002.211437768.00000000014F7000.00000004.00000040.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.sakkal.comVJNPltkyHyI3CCo.exe, 00000001.00000002.216437484.0000000007702000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipVJNPltkyHyI3CCo.exe, 00000001.00000002.212559557.000000000465E000.00000004.00000001.sdmp, VJNPltkyHyI3CCo.exe, 00000002.00000002.464818672.0000000000402000.00000040.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://mail.iykmoreentrprise.orgVJNPltkyHyI3CCo.exe, 00000002.00000002.472217023.0000000003330000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://cps.root-x1.letsencrypt.org0VJNPltkyHyI3CCo.exe, 00000002.00000002.472254348.0000000003338000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown

                                            Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public

                                            IPDomainCountryFlagASNASN NameMalicious
                                            66.70.204.222
                                            		iykmoreentrprise.orgCanada
                                            		16276OVHFRtrue

                                            General Information

                                            Joe Sandbox Version:31.0.0 Emerald
                                            Analysis ID:385435
                                            Start date:12.04.2021
                                            Start time:14:20:16
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 8m 28s
                                            Hypervisor based Inspection enabled:false
                                            Report type:light
                                            Sample file name:VJNPltkyHyI3CCo.exe
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:26
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.spyw.evad.winEXE@3/1@2/1
                                            EGA Information:Failed
                                            HDC Information:
                                            • Successful, ratio: 0.1% (good quality ratio 0%)
                                            • Quality average: 43.3%
                                            • Quality standard deviation: 30.7%
                                            HCA Information:
                                            • Successful, ratio: 98%
                                            • Number of executed functions: 0
                                            • Number of non-executed functions: 0
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            • Found application associated with file extension: .exe
                                            Warnings:
                                            Show All
                                            • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                                            • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 93.184.220.29, 168.61.161.212, 104.43.139.144, 104.42.151.234, 13.107.42.23, 13.107.5.88, 20.82.209.183, 184.30.24.56, 40.88.32.150, 92.122.213.194, 92.122.213.247, 20.54.26.129, 13.88.21.125, 13.64.90.137, 2.17.179.193, 84.53.167.113
                                            • Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, client-office365-tas.msedge.net, ocos-office365-s2s.msedge.net, arc.msn.com.nsatc.net, config.edge.skype.com.trafficmanager.net, e-0009.e-msedge.net, config-edge-skype.l-0014.l-msedge.net, l-0014.config.skype.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, e15275.g.akamaiedge.net, arc.msn.com, cdn.onenote.net.edgekey.net, skypedataprdcoleus15.cloudapp.net, ocsp.digicert.com, wildcard.weather.microsoft.com.edgekey.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, cdn.onenote.net, config.edge.skype.com, www.bing.com, skypedataprdcolwus17.cloudapp.net, afdo-tas-offload.trafficmanager.net, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, tile-service.weather.microsoft.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, ocos-office365-s2s-msedge-net.e-0009.e-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, e1553.dspg.akamaiedge.net, l-0014.l-msedge.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net
                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            14:21:06API Interceptor793x Sleep call for process: VJNPltkyHyI3CCo.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            66.70.204.2220L2qr7kJMh40sxq.exeGet hashmaliciousBrowse
                                              ApuE9QrdQxe7Um6.exeGet hashmaliciousBrowse
                                                77iET1jNLJyV8ez.exeGet hashmaliciousBrowse
                                                  bOkrXdoYekZPyWI.exeGet hashmaliciousBrowse
                                                    ayZYB5SkqMPA06M.exeGet hashmaliciousBrowse
                                                      fyZ6iHys7ClIHFR.exeGet hashmaliciousBrowse
                                                        uMLNLd9kgPez84h.exeGet hashmaliciousBrowse
                                                          YQfInBo2DDpDfIX.exeGet hashmaliciousBrowse
                                                            ORDER 700198.exeGet hashmaliciousBrowse
                                                              sZJd8CIputxKLHL.exeGet hashmaliciousBrowse
                                                                MZE1fH3FADpILLo.exeGet hashmaliciousBrowse
                                                                  I5aSXk7QgcVm507.exeGet hashmaliciousBrowse
                                                                    H6KJ04yw37dsJsX.exeGet hashmaliciousBrowse
                                                                      hyUBmXyIgoC5I09.exeGet hashmaliciousBrowse
                                                                        3i8aJ4R0PXl4wT3.exeGet hashmaliciousBrowse
                                                                          AKBEsuPu9JfDXz3.exeGet hashmaliciousBrowse
                                                                            9W5K7OGmYCsPbcT.exeGet hashmaliciousBrowse
                                                                              c3oWuf8mb3ix7MY.exeGet hashmaliciousBrowse
                                                                                QAhqxmnssOm5ho4.exeGet hashmaliciousBrowse
                                                                                  Z2YtRnoxRhFt3lk.exeGet hashmaliciousBrowse

                                                                                    Domains

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                                                    ASN

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                    OVHFRSecuriteInfo.com.Trojan.MinerNET.8.21400.exeGet hashmaliciousBrowse
                                                                                    • 51.255.34.118
                                                                                    Anmodning om tilbud 12-04-2021#U00b7pdf.exeGet hashmaliciousBrowse
                                                                                    • 51.195.53.221
                                                                                    PAYMENT COPY.exeGet hashmaliciousBrowse
                                                                                    • 167.114.6.31
                                                                                    Swift copy.pdf.exeGet hashmaliciousBrowse
                                                                                    • 51.222.80.112
                                                                                    PO-4147074_pdf.exeGet hashmaliciousBrowse
                                                                                    • 51.195.53.221
                                                                                    kQVi54bTM0.exeGet hashmaliciousBrowse
                                                                                    • 5.196.102.93
                                                                                    cym4u.exeGet hashmaliciousBrowse
                                                                                    • 188.165.17.91
                                                                                    Statement-ID-(400603).vbsGet hashmaliciousBrowse
                                                                                    • 51.89.204.5
                                                                                    $108,459.00.htmlGet hashmaliciousBrowse
                                                                                    • 146.59.152.166
                                                                                    LtfVNumoON.exeGet hashmaliciousBrowse
                                                                                    • 144.217.30.204
                                                                                    giATspz5dw.exeGet hashmaliciousBrowse
                                                                                    • 142.4.204.181
                                                                                    SecuriteInfo.com.__vbaHresultCheckObj.21994.exeGet hashmaliciousBrowse
                                                                                    • 149.202.83.171
                                                                                    SecuriteInfo.com.Variant.Johnnie.321295.17359.exeGet hashmaliciousBrowse
                                                                                    • 91.121.140.167
                                                                                    fileshare.docGet hashmaliciousBrowse
                                                                                    • 188.165.245.148
                                                                                    SecuriteInfo.com.Variant.Bulz.421173.18141.exeGet hashmaliciousBrowse
                                                                                    • 51.89.77.2
                                                                                    R1210322PIR-2FQUOTATION(P21C00285).exeGet hashmaliciousBrowse
                                                                                    • 51.38.214.75
                                                                                    Notice of change schedule for CID_ CMA CGM AMBER 0QA8FS1NC 0QA8GN1NC - 1st Rev.pdf.exeGet hashmaliciousBrowse
                                                                                    • 51.195.53.221
                                                                                    Notice of change schedule for CID_ CMA CGM AMBER 0QA8FS1NC 0QA8GN1NC - 1st Rev.pdf_1.exeGet hashmaliciousBrowse
                                                                                    • 51.195.53.221
                                                                                    Purchase Order No.10056.exeGet hashmaliciousBrowse
                                                                                    • 51.195.53.221
                                                                                    Quotation_pdf.exeGet hashmaliciousBrowse
                                                                                    • 51.195.53.221

                                                                                    JA3 Fingerprints

                                                                                    No context

                                                                                    Dropped Files

                                                                                    No context

                                                                                    Created / dropped Files

                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VJNPltkyHyI3CCo.exe.log
                                                                                    Process:C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):1314
                                                                                    Entropy (8bit):5.350128552078965
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                                                    MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                                                    SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                                                    SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                                                    SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                                                    Malicious:true
                                                                                    Reputation:high, very likely benign file
                                                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Entropy (8bit):7.803865308867252
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                                    File name:VJNPltkyHyI3CCo.exe
                                                                                    File size:836608
                                                                                    MD5:36a7049a4f3be8788f0c844319a5364b
                                                                                    SHA1:fbefd649daddd22154920dcae7dc79f8d6a036ff
                                                                                    SHA256:20251c86adaf2dc2cf0513e3dc83e78a768d1b016e0dcd738a0e55d3ba7227c4
                                                                                    SHA512:aaf5d36c7322e2f050debb26289f208dbd1388b1a980c7e0616ba4b7df42e95f60b382c3f5b88e9b1b4794c169d90332a19327230f0b011f13b7f595c4a40020
                                                                                    SSDEEP:12288:z63pA3f95jKm8HAKA1bBSxvVa6VsOMG6e46bXxec0N4iAhAMLsguzxWYTlK:qpa4m8HAKA3SNqG6jgvCyyhdxWYTs
                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....t`..............P.............^.... ........@.. ....................... ............@................................

                                                                                    File Icon

                                                                                    Icon Hash:9c9ee4f0f2d2d2da

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0x4bc35e
                                                                                    Entrypoint Section:.text
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                    Time Stamp:0x6074018F [Mon Apr 12 08:15:11 2021 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:v4.0.30319
                                                                                    OS Version Major:4
                                                                                    OS Version Minor:0
                                                                                    File Version Major:4
                                                                                    File Version Minor:0
                                                                                    Subsystem Version Major:4
                                                                                    Subsystem Version Minor:0
                                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    jmp dword ptr [00402000h]
                                                                                    or dword ptr [edx], ecx
                                                                                    or eax, 00000020h
                                                                                    add byte ptr [ecx+49h], cl
                                                                                    sub al, byte ptr [eax]
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    dec ebp
                                                                                    dec ebp
                                                                                    add byte ptr [edx], ch
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al
                                                                                    add byte ptr [eax], al

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xbc30c0x4f.text
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xbe0000x11a3c.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xd00000xc.reloc
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    .text0x20000xba37c0xba400False0.920096214346data7.9009190253IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                    .rsrc0xbe0000x11a3c0x11c00False0.507840008803data5.85054037808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .reloc0xd00000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                    Resources

                                                                                    NameRVASizeTypeLanguageCountry
                                                                                    RT_ICON0xbe1000x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                                                    RT_GROUP_ICON0xce9380x14data
                                                                                    RT_VERSION0xce95c0x3a4data
                                                                                    RT_MANIFEST0xced100xd25XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

                                                                                    Imports

                                                                                    DLLImport
                                                                                    mscoree.dll_CorExeMain

                                                                                    Version Infos

                                                                                    DescriptionData
                                                                                    Translation0x0000 0x04b0
                                                                                    LegalCopyrightCopyright Adobe Inc, Sel 2011 - 2021
                                                                                    Assembly Version1.0.0.0
                                                                                    InternalNameSpecialNameAttribute.exe
                                                                                    FileVersion1.0.0.0
                                                                                    CompanyNameAdobe Inc, Sel
                                                                                    LegalTrademarks
                                                                                    Comments
                                                                                    ProductNameImage Studio
                                                                                    ProductVersion1.0.0.0
                                                                                    FileDescriptionImage Studio
                                                                                    OriginalFilenameSpecialNameAttribute.exe

                                                                                    Network Behavior

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Apr 12, 2021 14:22:50.436736107 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:50.570462942 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:50.570601940 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:50.833848953 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:50.834433079 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:50.970660925 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:50.971146107 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:51.106420994 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:51.156291962 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:51.221162081 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:51.361119032 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:51.361181974 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:51.361213923 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:51.361365080 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:51.373605967 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:51.507543087 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:51.562681913 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:51.779840946 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:51.913562059 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:51.916742086 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:52.050908089 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:52.052015066 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:52.197036028 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:52.197877884 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:52.334011078 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:52.334661961 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:52.491643906 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:52.492017984 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:52.625983000 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:52.632345915 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:52.632644892 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:52.632867098 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:52.633090019 CEST49741587192.168.2.366.70.204.222
                                                                                    Apr 12, 2021 14:22:52.768244028 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:52.768296003 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:52.768328905 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:52.768359900 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:52.770149946 CEST5874974166.70.204.222192.168.2.3
                                                                                    Apr 12, 2021 14:22:52.812777996 CEST49741587192.168.2.366.70.204.222

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Apr 12, 2021 14:20:54.282417059 CEST6493853192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:20:54.360526085 CEST53649388.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:20:54.747649908 CEST6015253192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:20:54.796515942 CEST53601528.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:20:55.078618050 CEST5754453192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:20:55.128582001 CEST53575448.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:02.091650963 CEST5598453192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:02.150515079 CEST53559848.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:03.015203953 CEST6418553192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:03.077584982 CEST53641858.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:05.027339935 CEST6511053192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:05.076035023 CEST53651108.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:05.965487957 CEST5836153192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:06.014250994 CEST53583618.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:07.100564957 CEST6349253192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:07.149406910 CEST53634928.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:08.059403896 CEST6083153192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:08.116575956 CEST53608318.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:25.293231010 CEST5872253192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:25.299341917 CEST5659653192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:25.300570965 CEST6410153192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:25.344033003 CEST53587228.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:25.348047972 CEST53565968.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:25.349284887 CEST53641018.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:28.104584932 CEST6010053192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:28.157736063 CEST53601008.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:34.428991079 CEST5319553192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:34.487699986 CEST53531958.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:39.763340950 CEST5014153192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:39.816123009 CEST53501418.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:40.961142063 CEST5302353192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:41.018534899 CEST53530238.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:41.914843082 CEST4956353192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:41.967256069 CEST53495638.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:42.952872038 CEST5135253192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:43.019298077 CEST53513528.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:44.368967056 CEST5934953192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:44.432106972 CEST53593498.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:47.789033890 CEST5708453192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:47.837738037 CEST53570848.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:21:54.222506046 CEST5882353192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:21:54.293562889 CEST53588238.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:22:04.008586884 CEST5756853192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:22:04.057455063 CEST53575688.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:22:07.453449965 CEST5054053192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:22:07.522109985 CEST53505408.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:22:18.253395081 CEST5436653192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:22:18.302119970 CEST53543668.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:22:39.251099110 CEST5303453192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:22:39.303725958 CEST53530348.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:22:41.328479052 CEST5776253192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:22:41.396962881 CEST53577628.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:22:47.999886036 CEST5543553192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:22:48.048607111 CEST53554358.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:22:49.165318012 CEST5071353192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:22:49.216259956 CEST53507138.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:22:50.113877058 CEST5613253192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:22:50.220279932 CEST53561328.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:22:50.244390011 CEST5898753192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:22:50.301708937 CEST53589878.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:22:56.786207914 CEST5657953192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:22:56.834899902 CEST53565798.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:23:01.025154114 CEST6063353192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:23:01.075602055 CEST53606338.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:23:02.307183027 CEST6129253192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:23:02.367217064 CEST53612928.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:23:04.606638908 CEST6361953192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:23:04.656563997 CEST53636198.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:23:12.221443892 CEST6493853192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:23:12.222440004 CEST6194653192.168.2.38.8.8.8
                                                                                    Apr 12, 2021 14:23:12.281131983 CEST53619468.8.8.8192.168.2.3
                                                                                    Apr 12, 2021 14:23:12.282808065 CEST53649388.8.8.8192.168.2.3

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                    Apr 12, 2021 14:22:50.113877058 CEST192.168.2.38.8.8.80x7377Standard query (0)mail.iykmoreentrprise.orgA (IP address)IN (0x0001)
                                                                                    Apr 12, 2021 14:22:50.244390011 CEST192.168.2.38.8.8.80x5d52Standard query (0)mail.iykmoreentrprise.orgA (IP address)IN (0x0001)

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                    Apr 12, 2021 14:22:50.220279932 CEST8.8.8.8192.168.2.30x7377No error (0)mail.iykmoreentrprise.orgiykmoreentrprise.orgCNAME (Canonical name)IN (0x0001)
                                                                                    Apr 12, 2021 14:22:50.220279932 CEST8.8.8.8192.168.2.30x7377No error (0)iykmoreentrprise.org66.70.204.222A (IP address)IN (0x0001)
                                                                                    Apr 12, 2021 14:22:50.301708937 CEST8.8.8.8192.168.2.30x5d52No error (0)mail.iykmoreentrprise.orgiykmoreentrprise.orgCNAME (Canonical name)IN (0x0001)
                                                                                    Apr 12, 2021 14:22:50.301708937 CEST8.8.8.8192.168.2.30x5d52No error (0)iykmoreentrprise.org66.70.204.222A (IP address)IN (0x0001)

                                                                                    SMTP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                                                    Apr 12, 2021 14:22:50.833848953 CEST5874974166.70.204.222192.168.2.3220-server.wlcserver.com ESMTP Exim 4.94 #2 Mon, 12 Apr 2021 16:22:50 +0400
                                                                                    220-We do not authorize the use of this system to transport unsolicited,
                                                                                    220 and/or bulk e-mail.
                                                                                    Apr 12, 2021 14:22:50.834433079 CEST49741587192.168.2.366.70.204.222EHLO 134349
                                                                                    Apr 12, 2021 14:22:50.970660925 CEST5874974166.70.204.222192.168.2.3250-server.wlcserver.com Hello 134349 [84.17.52.3]
                                                                                    250-SIZE 52428800
                                                                                    250-8BITMIME
                                                                                    250-PIPELINING
                                                                                    250-X_PIPE_CONNECT
                                                                                    250-STARTTLS
                                                                                    250 HELP
                                                                                    Apr 12, 2021 14:22:50.971146107 CEST49741587192.168.2.366.70.204.222STARTTLS
                                                                                    Apr 12, 2021 14:22:51.106420994 CEST5874974166.70.204.222192.168.2.3220 TLS go ahead

                                                                                    Code Manipulations

                                                                                    Statistics

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    Analysis Process: VJNPltkyHyI3CCo.exe PID: 1156 Parent PID: 5624

                                                                                    General

                                                                                    Start time:14:21:01
                                                                                    Start date:12/04/2021
                                                                                    Path:C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:'C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe'
                                                                                    Imagebase:0xf20000
                                                                                    File size:836608 bytes
                                                                                    MD5 hash:36A7049A4F3BE8788F0C844319A5364B
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:.Net C# or VB.NET
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.212033159.0000000003511000.00000004.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.212559557.000000000465E000.00000004.00000001.sdmp, Author: Joe Security
                                                                                    Reputation:low

                                                                                    Analysis Process: VJNPltkyHyI3CCo.exe PID: 748 Parent PID: 1156

                                                                                    General

                                                                                    Start time:14:21:07
                                                                                    Start date:12/04/2021
                                                                                    Path:C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Users\user\Desktop\VJNPltkyHyI3CCo.exe
                                                                                    Imagebase:0xb20000
                                                                                    File size:836608 bytes
                                                                                    MD5 hash:36A7049A4F3BE8788F0C844319A5364B
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:.Net C# or VB.NET
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.464818672.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.469579413.0000000003071000.00000004.00000001.sdmp, Author: Joe Security
                                                                                    Reputation:low

                                                                                    Disassembly

                                                                                    Code Analysis

                                                                                    Reset < >