Loading ...

Play interactive tourEdit tour

Analysis Report 7XCBqj5HLqHcRlU.exe

Overview

General Information

Sample Name:7XCBqj5HLqHcRlU.exe
Analysis ID:404247
MD5:09a25586d2eaf5e8c3a5df5557bad218
SHA1:33acc64a84386fc9b14c9b389f7fc7f4fad089e6
SHA256:e34725603d4f0177a6fbb66cff9f073a90cd74e6a65c05f1a704ab390906474f
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • 7XCBqj5HLqHcRlU.exe (PID: 5452 cmdline: 'C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exe' MD5: 09A25586D2EAF5E8C3A5DF5557BAD218)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "security@prisamexico.netOpy44Yi.e65ymail.prisamexico.net"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.471184243.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.241704135.0000000003DFF000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000004.00000002.476530485.0000000002A01000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: 7XCBqj5HLqHcRlU.exe PID: 5628JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: 7XCBqj5HLqHcRlU.exe PID: 5628JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.7XCBqj5HLqHcRlU.exe.3ea1480.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              4.2.7XCBqj5HLqHcRlU.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.7XCBqj5HLqHcRlU.exe.3ea1480.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 4.2.7XCBqj5HLqHcRlU.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "security@prisamexico.netOpy44Yi.e65ymail.prisamexico.net"}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: 7XCBqj5HLqHcRlU.exeReversingLabs: Detection: 21%
                  Machine Learning detection for sampleShow sources
                  Source: 7XCBqj5HLqHcRlU.exeJoe Sandbox ML: detected
                  Source: 4.2.7XCBqj5HLqHcRlU.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 7XCBqj5HLqHcRlU.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: 7XCBqj5HLqHcRlU.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: global trafficTCP traffic: 192.168.2.3:49737 -> 66.199.141.105:587
                  Source: Joe Sandbox ViewASN Name: COGECO-PEER1CA COGECO-PEER1CA
                  Source: global trafficTCP traffic: 192.168.2.3:49737 -> 66.199.141.105:587
                  Source: unknownDNS traffic detected: queries for: mail.prisamexico.net
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.476530485.0000000002A01000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.476530485.0000000002A01000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.474443610.0000000000D1C000.00000004.00000020.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.474443610.0000000000D1C000.00000004.00000020.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.474443610.0000000000D1C000.00000004.00000020.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.474443610.0000000000D1C000.00000004.00000020.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.476530485.0000000002A01000.00000004.00000001.sdmpString found in binary or memory: http://hDgEgh.com
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.479342187.0000000002CB8000.00000004.00000001.sdmpString found in binary or memory: http://mail.prisamexico.net
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.479342187.0000000002CB8000.00000004.00000001.sdmpString found in binary or memory: http://prisamexico.net
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.474443610.0000000000D1C000.00000004.00000020.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.474443610.0000000000D1C000.00000004.00000020.sdmpString found in binary or memory: http://r3.o.lencr.org0
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.479080463.0000000002C80000.00000004.00000001.sdmp, 7XCBqj5HLqHcRlU.exe, 00000004.00000002.479428427.0000000002CE4000.00000004.00000001.sdmp, 7XCBqj5HLqHcRlU.exe, 00000004.00000002.476530485.0000000002A01000.00000004.00000001.sdmpString found in binary or memory: http://yjaeXK8No5PRZuzN.net
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.241704135.0000000003DFF000.00000004.00000001.sdmp, 7XCBqj5HLqHcRlU.exe, 00000004.00000002.471184243.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.476530485.0000000002A01000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                  System Summary:

                  barindex
                  .NET source code contains very large array initializationsShow sources
                  Source: 4.2.7XCBqj5HLqHcRlU.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b870E16F5u002dC16Eu002d43D1u002d9988u002dCA3FEBA36821u007d/u0037F0C032Au002dCECDu002d45E6u002d921Du002d6A85A13FF474.csLarge array initialization: .cctor: array initializer size 11940
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 0_2_0106C43C0_2_0106C43C
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 0_2_0106E4C30_2_0106E4C3
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 0_2_0106E4D00_2_0106E4D0
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_00E264A04_2_00E264A0
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_00E2B5184_2_00E2B518
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_00E798B04_2_00E798B0
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_00E722684_2_00E72268
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_00E754734_2_00E75473
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_00E74D604_2_00E74D60
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_00E7A0F04_2_00E7A0F0
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_00E700404_2_00E70040
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_00E73D084_2_00E73D08
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_00E7BEB84_2_00E7BEB8
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_00E79FF14_2_00E79FF1
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_010746A04_2_010746A0
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_010745D04_2_010745D0
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_0107D9804_2_0107D980
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.247598798.0000000007350000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs 7XCBqj5HLqHcRlU.exe
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.247475971.0000000007130000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSmartFormat.dll8 vs 7XCBqj5HLqHcRlU.exe
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.233718688.000000000082E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTCUtRTle7N3X8OP.exeR vs 7XCBqj5HLqHcRlU.exe
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.235179785.0000000002B61000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAxZYHnoYYqlcSsXCcXMUUWAhXRXrJEGEfCeKt.exe4 vs 7XCBqj5HLqHcRlU.exe
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000000.232750303.000000000060E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTCUtRTle7N3X8OP.exeR vs 7XCBqj5HLqHcRlU.exe
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.474947402.0000000000E30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs 7XCBqj5HLqHcRlU.exe
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.471184243.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameAxZYHnoYYqlcSsXCcXMUUWAhXRXrJEGEfCeKt.exe4 vs 7XCBqj5HLqHcRlU.exe
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.471950386.00000000007A8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 7XCBqj5HLqHcRlU.exe
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.474731974.0000000000D70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 7XCBqj5HLqHcRlU.exe
                  Source: 7XCBqj5HLqHcRlU.exeBinary or memory string: OriginalFilenameTCUtRTle7N3X8OP.exeR vs 7XCBqj5HLqHcRlU.exe
                  Source: 7XCBqj5HLqHcRlU.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: 4.2.7XCBqj5HLqHcRlU.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 4.2.7XCBqj5HLqHcRlU.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/1
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7XCBqj5HLqHcRlU.exe.logJump to behavior
                  Source: 7XCBqj5HLqHcRlU.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: 7XCBqj5HLqHcRlU.exeBinary or memory string: SELECT DoctorId FROM PatientDoctor WHERE PatientId = {0};
                  Source: 7XCBqj5HLqHcRlU.exeBinary or memory string: SELECT * FROM Patients a INNER JOIN PatientDoctor b ON a.Id = b.PatientId WHERE b.DoctorId = {0} ORDER BY LastName;
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.233519767.0000000000732000.00000002.00020000.sdmp, 7XCBqj5HLqHcRlU.exe, 00000004.00000000.232672737.0000000000512000.00000002.00020000.sdmpBinary or memory string: SELECT * FROM Patients a INNER JOIN PatientDoctor b ON a.Id = b.PatientId WHERE b.DoctorId = {0} ORDER BY LastName;oSELECT COUNT(*) FROM PatientDoctor WHERE DoctorId = {0}sSELECT DoctorId FROM PatientDoctor WHERE PatientId = {0};
                  Source: 7XCBqj5HLqHcRlU.exeReversingLabs: Detection: 21%
                  Source: 7XCBqj5HLqHcRlU.exeString found in binary or memory: Administrators/addNewToolStripMenuItem
                  Source: unknownProcess created: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exe 'C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exe'
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess created: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exe {path}
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess created: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exe {path}Jump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: 7XCBqj5HLqHcRlU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: 7XCBqj5HLqHcRlU.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: 7XCBqj5HLqHcRlU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: 7XCBqj5HLqHcRlU.exeStatic PE information: 0xF520A8BD [Wed Apr 28 01:17:49 2100 UTC]
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_00EDD95C push eax; ret 4_2_00EDD95D
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_00EDE333 push eax; ret 4_2_00EDE349
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_0107E4D0 push es; retf 4_2_0107E4E6
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_01078B6D pushad ; retf 4_2_01078B8B
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.14608942237
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion:

                  barindex
                  Yara detected AntiVM3Show sources
                  Source: Yara matchFile source: Process Memory Space: 7XCBqj5HLqHcRlU.exe PID: 5452, type: MEMORY
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.235502993.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.235502993.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeWindow / User API: threadDelayed 2875Jump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeWindow / User API: threadDelayed 6985Jump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exe TID: 5448Thread sleep time: -31500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exe TID: 5076Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exe TID: 2172Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exe TID: 5924Thread sleep count: 2875 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exe TID: 5924Thread sleep count: 6985 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeThread delayed: delay time: 31500Jump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.235502993.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.235502993.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: vmware
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.235502993.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.235502993.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.474443610.0000000000D1C000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.235502993.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: VMWARE
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.235502993.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.235502993.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.235502993.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.235502993.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_00E72268 LdrInitializeThunk,4_2_00E72268
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Injects a PE file into a foreign processesShow sources
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeMemory written: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess created: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exe {path}Jump to behavior
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.475671852.0000000001460000.00000002.00000001.sdmpBinary or memory string: Program Manager
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.475671852.0000000001460000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.475671852.0000000001460000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.475671852.0000000001460000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation