Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 7XCBqj5HLqHcRlU.exe

Overview

General Information

Sample Name:7XCBqj5HLqHcRlU.exe
Analysis ID:404247
MD5:09a25586d2eaf5e8c3a5df5557bad218
SHA1:33acc64a84386fc9b14c9b389f7fc7f4fad089e6
SHA256:e34725603d4f0177a6fbb66cff9f073a90cd74e6a65c05f1a704ab390906474f
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • 7XCBqj5HLqHcRlU.exe (PID: 5452 cmdline: 'C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exe' MD5: 09A25586D2EAF5E8C3A5DF5557BAD218)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "security@prisamexico.netOpy44Yi.e65ymail.prisamexico.net"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.471184243.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.241704135.0000000003DFF000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000004.00000002.476530485.0000000002A01000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: 7XCBqj5HLqHcRlU.exe PID: 5628JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: 7XCBqj5HLqHcRlU.exe PID: 5628JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.7XCBqj5HLqHcRlU.exe.3ea1480.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              4.2.7XCBqj5HLqHcRlU.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.7XCBqj5HLqHcRlU.exe.3ea1480.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 4.2.7XCBqj5HLqHcRlU.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "security@prisamexico.netOpy44Yi.e65ymail.prisamexico.net"}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: 7XCBqj5HLqHcRlU.exeReversingLabs: Detection: 21%
                  Machine Learning detection for sampleShow sources
                  Source: 7XCBqj5HLqHcRlU.exeJoe Sandbox ML: detected
                  Source: 4.2.7XCBqj5HLqHcRlU.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                  Source: 7XCBqj5HLqHcRlU.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: 7XCBqj5HLqHcRlU.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: global trafficTCP traffic: 192.168.2.3:49737 -> 66.199.141.105:587
                  Source: Joe Sandbox ViewASN Name: COGECO-PEER1CA COGECO-PEER1CA
                  Source: global trafficTCP traffic: 192.168.2.3:49737 -> 66.199.141.105:587
                  Source: unknownDNS traffic detected: queries for: mail.prisamexico.net
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.476530485.0000000002A01000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.476530485.0000000002A01000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.474443610.0000000000D1C000.00000004.00000020.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.474443610.0000000000D1C000.00000004.00000020.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.474443610.0000000000D1C000.00000004.00000020.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.474443610.0000000000D1C000.00000004.00000020.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.476530485.0000000002A01000.00000004.00000001.sdmpString found in binary or memory: http://hDgEgh.com
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.479342187.0000000002CB8000.00000004.00000001.sdmpString found in binary or memory: http://mail.prisamexico.net
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.479342187.0000000002CB8000.00000004.00000001.sdmpString found in binary or memory: http://prisamexico.net
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.474443610.0000000000D1C000.00000004.00000020.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.474443610.0000000000D1C000.00000004.00000020.sdmpString found in binary or memory: http://r3.o.lencr.org0
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.479080463.0000000002C80000.00000004.00000001.sdmp, 7XCBqj5HLqHcRlU.exe, 00000004.00000002.479428427.0000000002CE4000.00000004.00000001.sdmp, 7XCBqj5HLqHcRlU.exe, 00000004.00000002.476530485.0000000002A01000.00000004.00000001.sdmpString found in binary or memory: http://yjaeXK8No5PRZuzN.net
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.241704135.0000000003DFF000.00000004.00000001.sdmp, 7XCBqj5HLqHcRlU.exe, 00000004.00000002.471184243.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.476530485.0000000002A01000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                  System Summary:

                  barindex
                  .NET source code contains very large array initializationsShow sources
                  Source: 4.2.7XCBqj5HLqHcRlU.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b870E16F5u002dC16Eu002d43D1u002d9988u002dCA3FEBA36821u007d/u0037F0C032Au002dCECDu002d45E6u002d921Du002d6A85A13FF474.csLarge array initialization: .cctor: array initializer size 11940
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 0_2_0106C43C0_2_0106C43C
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 0_2_0106E4C30_2_0106E4C3
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 0_2_0106E4D00_2_0106E4D0
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_00E264A04_2_00E264A0
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_00E2B5184_2_00E2B518
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_00E798B04_2_00E798B0
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_00E722684_2_00E72268
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_00E754734_2_00E75473
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_00E74D604_2_00E74D60
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_00E7A0F04_2_00E7A0F0
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_00E700404_2_00E70040
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_00E73D084_2_00E73D08
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_00E7BEB84_2_00E7BEB8
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_00E79FF14_2_00E79FF1
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_010746A04_2_010746A0
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_010745D04_2_010745D0
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_0107D9804_2_0107D980
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.247598798.0000000007350000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs 7XCBqj5HLqHcRlU.exe
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.247475971.0000000007130000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSmartFormat.dll8 vs 7XCBqj5HLqHcRlU.exe
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.233718688.000000000082E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTCUtRTle7N3X8OP.exeR vs 7XCBqj5HLqHcRlU.exe
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.235179785.0000000002B61000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAxZYHnoYYqlcSsXCcXMUUWAhXRXrJEGEfCeKt.exe4 vs 7XCBqj5HLqHcRlU.exe
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000000.232750303.000000000060E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTCUtRTle7N3X8OP.exeR vs 7XCBqj5HLqHcRlU.exe
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.474947402.0000000000E30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs 7XCBqj5HLqHcRlU.exe
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.471184243.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameAxZYHnoYYqlcSsXCcXMUUWAhXRXrJEGEfCeKt.exe4 vs 7XCBqj5HLqHcRlU.exe
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.471950386.00000000007A8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 7XCBqj5HLqHcRlU.exe
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.474731974.0000000000D70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 7XCBqj5HLqHcRlU.exe
                  Source: 7XCBqj5HLqHcRlU.exeBinary or memory string: OriginalFilenameTCUtRTle7N3X8OP.exeR vs 7XCBqj5HLqHcRlU.exe
                  Source: 7XCBqj5HLqHcRlU.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: 4.2.7XCBqj5HLqHcRlU.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 4.2.7XCBqj5HLqHcRlU.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/1
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7XCBqj5HLqHcRlU.exe.logJump to behavior
                  Source: 7XCBqj5HLqHcRlU.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: 7XCBqj5HLqHcRlU.exeBinary or memory string: SELECT DoctorId FROM PatientDoctor WHERE PatientId = {0};
                  Source: 7XCBqj5HLqHcRlU.exeBinary or memory string: SELECT * FROM Patients a INNER JOIN PatientDoctor b ON a.Id = b.PatientId WHERE b.DoctorId = {0} ORDER BY LastName;
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.233519767.0000000000732000.00000002.00020000.sdmp, 7XCBqj5HLqHcRlU.exe, 00000004.00000000.232672737.0000000000512000.00000002.00020000.sdmpBinary or memory string: SELECT * FROM Patients a INNER JOIN PatientDoctor b ON a.Id = b.PatientId WHERE b.DoctorId = {0} ORDER BY LastName;oSELECT COUNT(*) FROM PatientDoctor WHERE DoctorId = {0}sSELECT DoctorId FROM PatientDoctor WHERE PatientId = {0};
                  Source: 7XCBqj5HLqHcRlU.exeReversingLabs: Detection: 21%
                  Source: 7XCBqj5HLqHcRlU.exeString found in binary or memory: Administrators/addNewToolStripMenuItem
                  Source: unknownProcess created: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exe 'C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exe'
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess created: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exe {path}
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess created: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exe {path}Jump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: 7XCBqj5HLqHcRlU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: 7XCBqj5HLqHcRlU.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: 7XCBqj5HLqHcRlU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: 7XCBqj5HLqHcRlU.exeStatic PE information: 0xF520A8BD [Wed Apr 28 01:17:49 2100 UTC]
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_00EDD95C push eax; ret 4_2_00EDD95D
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_00EDE333 push eax; ret 4_2_00EDE349
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_0107E4D0 push es; retf 4_2_0107E4E6
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_01078B6D pushad ; retf 4_2_01078B8B
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.14608942237
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion:

                  barindex
                  Yara detected AntiVM3Show sources
                  Source: Yara matchFile source: Process Memory Space: 7XCBqj5HLqHcRlU.exe PID: 5452, type: MEMORY
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.235502993.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.235502993.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeWindow / User API: threadDelayed 2875Jump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeWindow / User API: threadDelayed 6985Jump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exe TID: 5448Thread sleep time: -31500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exe TID: 5076Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exe TID: 2172Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exe TID: 5924Thread sleep count: 2875 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exe TID: 5924Thread sleep count: 6985 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeThread delayed: delay time: 31500Jump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.235502993.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.235502993.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: vmware
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.235502993.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.235502993.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.474443610.0000000000D1C000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.235502993.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: VMWARE
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.235502993.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.235502993.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.235502993.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                  Source: 7XCBqj5HLqHcRlU.exe, 00000000.00000002.235502993.0000000002BA4000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeCode function: 4_2_00E72268 LdrInitializeThunk,4_2_00E72268
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Injects a PE file into a foreign processesShow sources
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeMemory written: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeProcess created: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exe {path}Jump to behavior
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.475671852.0000000001460000.00000002.00000001.sdmpBinary or memory string: Program Manager
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.475671852.0000000001460000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.475671852.0000000001460000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: 7XCBqj5HLqHcRlU.exe, 00000004.00000002.475671852.0000000001460000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000004.00000002.471184243.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.241704135.0000000003DFF000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 7XCBqj5HLqHcRlU.exe PID: 5628, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 7XCBqj5HLqHcRlU.exe PID: 5452, type: MEMORY
                  Source: Yara matchFile source: 0.2.7XCBqj5HLqHcRlU.exe.3ea1480.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.7XCBqj5HLqHcRlU.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7XCBqj5HLqHcRlU.exe.3ea1480.3.raw.unpack, type: UNPACKEDPE
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)Show sources
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Tries to harvest and steal ftp login credentialsShow sources
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                  Tries to steal Mail credentials (via file access)Show sources
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: Yara matchFile source: 00000004.00000002.476530485.0000000002A01000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 7XCBqj5HLqHcRlU.exe PID: 5628, type: MEMORY

                  Remote Access Functionality:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000004.00000002.471184243.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.241704135.0000000003DFF000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 7XCBqj5HLqHcRlU.exe PID: 5628, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 7XCBqj5HLqHcRlU.exe PID: 5452, type: MEMORY
                  Source: Yara matchFile source: 0.2.7XCBqj5HLqHcRlU.exe.3ea1480.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.7XCBqj5HLqHcRlU.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7XCBqj5HLqHcRlU.exe.3ea1480.3.raw.unpack, type: UNPACKEDPE

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsCommand and Scripting Interpreter2Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Credentials in Registry1Security Software Discovery211Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing2DCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  7XCBqj5HLqHcRlU.exe21%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                  7XCBqj5HLqHcRlU.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  4.2.7XCBqj5HLqHcRlU.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                  http://cps.letsencrypt.org00%URL Reputationsafe
                  http://cps.letsencrypt.org00%URL Reputationsafe
                  http://cps.letsencrypt.org00%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.tiro.com0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://www.goodfont.co.kr0%URL Reputationsafe
                  http://prisamexico.net0%Avira URL Cloudsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://www.carterandcone.coml0%URL Reputationsafe
                  http://r3.i.lencr.org/00%URL Reputationsafe
                  http://r3.i.lencr.org/00%URL Reputationsafe
                  http://r3.i.lencr.org/00%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.sajatypeworks.com0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.typography.netD0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://fontfabrik.com0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://www.founder.com.cn/cn0%URL Reputationsafe
                  http://mail.prisamexico.net0%Avira URL Cloudsafe
                  http://yjaeXK8No5PRZuzN.net0%Avira URL Cloudsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                  http://r3.o.lencr.org00%URL Reputationsafe
                  http://r3.o.lencr.org00%URL Reputationsafe
                  http://r3.o.lencr.org00%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://www.sandoll.co.kr0%URL Reputationsafe
                  http://hDgEgh.com0%Avira URL Cloudsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.urwpp.deDPlease0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.zhongyicts.com.cn0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  http://www.sakkal.com0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                  http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                  http://cps.root-x1.letsencrypt.org00%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  prisamexico.net
                  		66.199.141.105
                  		truetrue
                    		unknown
                    mail.prisamexico.net
                    		unknown
                    		unknowntrue
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.17XCBqj5HLqHcRlU.exe, 00000004.00000002.476530485.0000000002A01000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.apache.org/licenses/LICENSE-2.07XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersG7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpfalse
                            		high
                            http://DynDns.comDynDNS7XCBqj5HLqHcRlU.exe, 00000004.00000002.476530485.0000000002A01000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/?7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bThe7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://cps.letsencrypt.org07XCBqj5HLqHcRlU.exe, 00000004.00000002.474443610.0000000000D1C000.00000004.00000020.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha7XCBqj5HLqHcRlU.exe, 00000004.00000002.476530485.0000000002A01000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers?7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpfalse
                                		high
                                http://www.tiro.com7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.goodfont.co.kr7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://prisamexico.net7XCBqj5HLqHcRlU.exe, 00000004.00000002.479342187.0000000002CB8000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.carterandcone.coml7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://r3.i.lencr.org/07XCBqj5HLqHcRlU.exe, 00000004.00000002.474443610.0000000000D1C000.00000004.00000020.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.com7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netD7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlN7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/cThe7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htm7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.com7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cn7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-jones.html7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpfalse
                                      		high
                                      http://mail.prisamexico.net7XCBqj5HLqHcRlU.exe, 00000004.00000002.479342187.0000000002CB8000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://yjaeXK8No5PRZuzN.net7XCBqj5HLqHcRlU.exe, 00000004.00000002.479080463.0000000002C80000.00000004.00000001.sdmp, 7XCBqj5HLqHcRlU.exe, 00000004.00000002.479428427.0000000002CE4000.00000004.00000001.sdmp, 7XCBqj5HLqHcRlU.exe, 00000004.00000002.476530485.0000000002A01000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://r3.o.lencr.org07XCBqj5HLqHcRlU.exe, 00000004.00000002.474443610.0000000000D1C000.00000004.00000020.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/DPlease7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers87XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.fonts.com7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.sandoll.co.kr7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://hDgEgh.com7XCBqj5HLqHcRlU.exe, 00000004.00000002.476530485.0000000002A01000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.urwpp.deDPlease7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cn7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sakkal.com7XCBqj5HLqHcRlU.exe, 00000000.00000002.246783403.0000000005B30000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip7XCBqj5HLqHcRlU.exe, 00000000.00000002.241704135.0000000003DFF000.00000004.00000001.sdmp, 7XCBqj5HLqHcRlU.exe, 00000004.00000002.471184243.0000000000402000.00000040.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://cps.root-x1.letsencrypt.org07XCBqj5HLqHcRlU.exe, 00000004.00000002.474443610.0000000000D1C000.00000004.00000020.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown

                                          Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public

                                          IPDomainCountryFlagASNASN NameMalicious
                                          66.199.141.105
                                          		prisamexico.netCanada
                                          		13768COGECO-PEER1CAtrue

                                          General Information

                                          Joe Sandbox Version:32.0.0 Black Diamond
                                          Analysis ID:404247
                                          Start date:04.05.2021
                                          Start time:20:44:58
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 9m 16s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Sample file name:7XCBqj5HLqHcRlU.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:29
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winEXE@3/1@2/1
                                          EGA Information:Failed
                                          HDC Information:Failed
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 41
                                          • Number of non-executed functions: 3
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe
                                          Warnings:
                                          Show All
                                          • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                          • Excluded IPs from analysis (whitelisted): 52.147.198.201, 2.20.157.220, 104.42.151.234, 52.255.188.83, 23.57.80.111, 20.82.210.154, 2.20.142.209, 2.20.142.210, 92.122.213.194, 92.122.213.247, 20.54.26.129, 20.49.157.6
                                          • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/404247/sample/7XCBqj5HLqHcRlU.exe

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          20:45:59API Interceptor715x Sleep call for process: 7XCBqj5HLqHcRlU.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          No context

                                          Domains

                                          No context

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          COGECO-PEER1CAgenerated check 662732.xlsmGet hashmaliciousBrowse
                                          • 64.34.68.10
                                          4JQil8gLKdGet hashmaliciousBrowse
                                          • 185.33.5.160
                                          Radix_1_exe.exeGet hashmaliciousBrowse
                                          • 209.15.37.6
                                          Missed +443547900.wav - 45551 PM.htm.htmGet hashmaliciousBrowse
                                          • 76.74.184.111
                                          #Ud83d#UdcdeMissed +60475998.wav - 82218 PM.htmGet hashmaliciousBrowse
                                          • 76.74.184.111
                                          #Ud83d#UdcdeMissed +1957636658.wav - 63542 PM.htm.htmGet hashmaliciousBrowse
                                          • 76.74.184.111
                                          z2xQEFs54b.exeGet hashmaliciousBrowse
                                          • 76.74.184.61
                                          IMG-03-14-2021.exeGet hashmaliciousBrowse
                                          • 69.90.160.170
                                          QUOTATION 03112021.exeGet hashmaliciousBrowse
                                          • 69.90.160.170
                                          QUOTATION 03112021.exeGet hashmaliciousBrowse
                                          • 69.90.160.170
                                          QUOTATION 03102021.exeGet hashmaliciousBrowse
                                          • 69.90.160.170
                                          Avis de Paiement (1).xlsxGet hashmaliciousBrowse
                                          • 66.155.71.149
                                          Agency Appointment - MV Patagonia.docGet hashmaliciousBrowse
                                          • 69.90.160.10
                                          remittanceslip_pdf.exeGet hashmaliciousBrowse
                                          • 209.15.37.6
                                          New_Order.exeGet hashmaliciousBrowse
                                          • 69.90.160.170
                                          tS9P6wPz9x.exeGet hashmaliciousBrowse
                                          • 66.155.35.240
                                          ransomware.exeGet hashmaliciousBrowse
                                          • 66.155.35.240
                                          ransomware.exeGet hashmaliciousBrowse
                                          • 66.155.35.240
                                          m9vk5iD1xh.exeGet hashmaliciousBrowse
                                          • 69.90.160.170

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7XCBqj5HLqHcRlU.exe.log
                                          Process:C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.355304211458859
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                          MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                          SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                          SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                          SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                          Malicious:true
                                          Reputation:high, very likely benign file
                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.139562078643783
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Windows Screen Saver (13104/52) 0.07%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          File name:7XCBqj5HLqHcRlU.exe
                                          File size:1027584
                                          MD5:09a25586d2eaf5e8c3a5df5557bad218
                                          SHA1:33acc64a84386fc9b14c9b389f7fc7f4fad089e6
                                          SHA256:e34725603d4f0177a6fbb66cff9f073a90cd74e6a65c05f1a704ab390906474f
                                          SHA512:f47e7aad5ec8bab9da67d38bc2c41af84a7ee2ae25ae8d65b1430d0c516afbead11828113986250c48a1d71e6e05a19aca914075443236c565232c3cde361670
                                          SSDEEP:12288:WTbB4fWXY3Ot6InK1sLuNp+dM0kKg0D75wAPG+zETi/Pih2CV5R2DMa46ZSLmFbD:WI6ZS8toLAOAYKOVGNkulYP0tl
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... ...............0.............B.... ........@.. ....................... ............@................................

                                          File Icon

                                          Icon Hash:00828e8e8686b000

                                          Static PE Info

                                          General

                                          Entrypoint:0x4fc142
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                          Time Stamp:0xF520A8BD [Wed Apr 28 01:17:49 2100 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:v4.0.30319
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xfc0f00x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xfe0000x604.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1000000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xfc0d40x1c.text
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xfa1480xfa200False0.619281179723data7.14608942237IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rsrc0xfe0000x6040x800False0.33154296875data3.44527479652IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x1000000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_VERSION0xfe0900x374data
                                          RT_MANIFEST0xfe4140x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Version Infos

                                          DescriptionData
                                          Translation0x0000 0x04b0
                                          LegalCopyrightCopyright 2019
                                          Assembly Version1.0.0.0
                                          InternalNameTCUtRTle7N3X8OP.exe
                                          FileVersion1.0.0.0
                                          CompanyName
                                          LegalTrademarks
                                          Comments
                                          ProductNameHospitalManagementSystem
                                          ProductVersion1.0.0.0
                                          FileDescriptionHospitalManagementSystem
                                          OriginalFilenameTCUtRTle7N3X8OP.exe

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          May 4, 2021 20:47:40.708321095 CEST49737587192.168.2.366.199.141.105
                                          May 4, 2021 20:47:40.843053102 CEST5874973766.199.141.105192.168.2.3
                                          May 4, 2021 20:47:40.843238115 CEST49737587192.168.2.366.199.141.105
                                          May 4, 2021 20:47:41.093657017 CEST5874973766.199.141.105192.168.2.3
                                          May 4, 2021 20:47:41.093995094 CEST49737587192.168.2.366.199.141.105
                                          May 4, 2021 20:47:41.229269028 CEST5874973766.199.141.105192.168.2.3
                                          May 4, 2021 20:47:41.229557991 CEST49737587192.168.2.366.199.141.105
                                          May 4, 2021 20:47:41.365915060 CEST5874973766.199.141.105192.168.2.3
                                          May 4, 2021 20:47:41.400036097 CEST49737587192.168.2.366.199.141.105
                                          May 4, 2021 20:47:41.547707081 CEST5874973766.199.141.105192.168.2.3
                                          May 4, 2021 20:47:41.547727108 CEST5874973766.199.141.105192.168.2.3
                                          May 4, 2021 20:47:41.547743082 CEST5874973766.199.141.105192.168.2.3
                                          May 4, 2021 20:47:41.547852993 CEST49737587192.168.2.366.199.141.105
                                          May 4, 2021 20:47:41.555566072 CEST49737587192.168.2.366.199.141.105
                                          May 4, 2021 20:47:41.690119028 CEST5874973766.199.141.105192.168.2.3
                                          May 4, 2021 20:47:41.737818956 CEST49737587192.168.2.366.199.141.105
                                          May 4, 2021 20:47:41.872133970 CEST5874973766.199.141.105192.168.2.3
                                          May 4, 2021 20:47:41.874854088 CEST49737587192.168.2.366.199.141.105
                                          May 4, 2021 20:47:42.009603977 CEST5874973766.199.141.105192.168.2.3
                                          May 4, 2021 20:47:42.010371923 CEST49737587192.168.2.366.199.141.105
                                          May 4, 2021 20:47:42.145611048 CEST5874973766.199.141.105192.168.2.3
                                          May 4, 2021 20:47:42.146420956 CEST49737587192.168.2.366.199.141.105
                                          May 4, 2021 20:47:42.282630920 CEST5874973766.199.141.105192.168.2.3
                                          May 4, 2021 20:47:42.283515930 CEST49737587192.168.2.366.199.141.105
                                          May 4, 2021 20:47:42.419806004 CEST5874973766.199.141.105192.168.2.3
                                          May 4, 2021 20:47:42.420697927 CEST49737587192.168.2.366.199.141.105
                                          May 4, 2021 20:47:42.557286024 CEST5874973766.199.141.105192.168.2.3
                                          May 4, 2021 20:47:42.563513994 CEST49737587192.168.2.366.199.141.105
                                          May 4, 2021 20:47:42.563889027 CEST49737587192.168.2.366.199.141.105
                                          May 4, 2021 20:47:42.564095974 CEST49737587192.168.2.366.199.141.105
                                          May 4, 2021 20:47:42.564300060 CEST49737587192.168.2.366.199.141.105
                                          May 4, 2021 20:47:42.698018074 CEST5874973766.199.141.105192.168.2.3
                                          May 4, 2021 20:47:42.698143005 CEST5874973766.199.141.105192.168.2.3
                                          May 4, 2021 20:47:42.698236942 CEST5874973766.199.141.105192.168.2.3
                                          May 4, 2021 20:47:42.698370934 CEST5874973766.199.141.105192.168.2.3
                                          May 4, 2021 20:47:43.438055992 CEST5874973766.199.141.105192.168.2.3
                                          May 4, 2021 20:47:43.491334915 CEST49737587192.168.2.366.199.141.105

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          May 4, 2021 20:45:40.907846928 CEST4919953192.168.2.38.8.8.8
                                          May 4, 2021 20:45:40.958323956 CEST53491998.8.8.8192.168.2.3
                                          May 4, 2021 20:45:41.885293007 CEST5062053192.168.2.38.8.8.8
                                          May 4, 2021 20:45:41.944705963 CEST53506208.8.8.8192.168.2.3
                                          May 4, 2021 20:45:42.101284981 CEST6493853192.168.2.38.8.8.8
                                          May 4, 2021 20:45:42.152767897 CEST53649388.8.8.8192.168.2.3
                                          May 4, 2021 20:45:43.249723911 CEST6015253192.168.2.38.8.8.8
                                          May 4, 2021 20:45:43.300298929 CEST53601528.8.8.8192.168.2.3
                                          May 4, 2021 20:45:44.250201941 CEST5754453192.168.2.38.8.8.8
                                          May 4, 2021 20:45:44.299710035 CEST53575448.8.8.8192.168.2.3
                                          May 4, 2021 20:45:45.148391008 CEST5598453192.168.2.38.8.8.8
                                          May 4, 2021 20:45:45.199253082 CEST53559848.8.8.8192.168.2.3
                                          May 4, 2021 20:45:46.306448936 CEST6418553192.168.2.38.8.8.8
                                          May 4, 2021 20:45:46.357938051 CEST53641858.8.8.8192.168.2.3
                                          May 4, 2021 20:45:47.115859032 CEST6511053192.168.2.38.8.8.8
                                          May 4, 2021 20:45:47.173021078 CEST53651108.8.8.8192.168.2.3
                                          May 4, 2021 20:45:48.256779909 CEST5836153192.168.2.38.8.8.8
                                          May 4, 2021 20:45:48.318157911 CEST53583618.8.8.8192.168.2.3
                                          May 4, 2021 20:45:49.302977085 CEST6349253192.168.2.38.8.8.8
                                          May 4, 2021 20:45:49.354597092 CEST53634928.8.8.8192.168.2.3
                                          May 4, 2021 20:45:50.800856113 CEST6083153192.168.2.38.8.8.8
                                          May 4, 2021 20:45:50.849457979 CEST53608318.8.8.8192.168.2.3
                                          May 4, 2021 20:45:51.602194071 CEST6010053192.168.2.38.8.8.8
                                          May 4, 2021 20:45:51.653870106 CEST53601008.8.8.8192.168.2.3
                                          May 4, 2021 20:45:52.488270998 CEST5319553192.168.2.38.8.8.8
                                          May 4, 2021 20:45:52.537082911 CEST53531958.8.8.8192.168.2.3
                                          May 4, 2021 20:45:53.319747925 CEST5014153192.168.2.38.8.8.8
                                          May 4, 2021 20:45:53.371381998 CEST53501418.8.8.8192.168.2.3
                                          May 4, 2021 20:45:54.418693066 CEST5302353192.168.2.38.8.8.8
                                          May 4, 2021 20:45:54.469448090 CEST53530238.8.8.8192.168.2.3
                                          May 4, 2021 20:45:55.268682003 CEST4956353192.168.2.38.8.8.8
                                          May 4, 2021 20:45:55.321857929 CEST53495638.8.8.8192.168.2.3
                                          May 4, 2021 20:45:56.490590096 CEST5135253192.168.2.38.8.8.8
                                          May 4, 2021 20:45:56.550529003 CEST53513528.8.8.8192.168.2.3
                                          May 4, 2021 20:45:57.402920008 CEST5934953192.168.2.38.8.8.8
                                          May 4, 2021 20:45:57.460558891 CEST53593498.8.8.8192.168.2.3
                                          May 4, 2021 20:46:15.903362036 CEST5708453192.168.2.38.8.8.8
                                          May 4, 2021 20:46:15.963665009 CEST53570848.8.8.8192.168.2.3
                                          May 4, 2021 20:46:19.540618896 CEST5882353192.168.2.38.8.8.8
                                          May 4, 2021 20:46:19.589715958 CEST53588238.8.8.8192.168.2.3
                                          May 4, 2021 20:46:35.394798040 CEST5756853192.168.2.38.8.8.8
                                          May 4, 2021 20:46:35.454495907 CEST53575688.8.8.8192.168.2.3
                                          May 4, 2021 20:46:40.774811029 CEST5054053192.168.2.38.8.8.8
                                          May 4, 2021 20:46:40.840569973 CEST53505408.8.8.8192.168.2.3
                                          May 4, 2021 20:46:52.624903917 CEST5436653192.168.2.38.8.8.8
                                          May 4, 2021 20:46:52.681967020 CEST53543668.8.8.8192.168.2.3
                                          May 4, 2021 20:47:02.382545948 CEST5303453192.168.2.38.8.8.8
                                          May 4, 2021 20:47:02.454353094 CEST53530348.8.8.8192.168.2.3
                                          May 4, 2021 20:47:06.082418919 CEST5776253192.168.2.38.8.8.8
                                          May 4, 2021 20:47:06.147727013 CEST53577628.8.8.8192.168.2.3
                                          May 4, 2021 20:47:37.567984104 CEST5543553192.168.2.38.8.8.8
                                          May 4, 2021 20:47:37.633315086 CEST53554358.8.8.8192.168.2.3
                                          May 4, 2021 20:47:40.341852903 CEST5071353192.168.2.38.8.8.8
                                          May 4, 2021 20:47:40.495930910 CEST53507138.8.8.8192.168.2.3
                                          May 4, 2021 20:47:40.520329952 CEST5613253192.168.2.38.8.8.8
                                          May 4, 2021 20:47:40.596545935 CEST5898753192.168.2.38.8.8.8
                                          May 4, 2021 20:47:40.669444084 CEST53589878.8.8.8192.168.2.3
                                          May 4, 2021 20:47:40.685180902 CEST53561328.8.8.8192.168.2.3

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          May 4, 2021 20:47:40.341852903 CEST192.168.2.38.8.8.80x1ba7Standard query (0)mail.prisamexico.netA (IP address)IN (0x0001)
                                          May 4, 2021 20:47:40.520329952 CEST192.168.2.38.8.8.80xde31Standard query (0)mail.prisamexico.netA (IP address)IN (0x0001)

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          May 4, 2021 20:47:40.495930910 CEST8.8.8.8192.168.2.30x1ba7No error (0)mail.prisamexico.netprisamexico.netCNAME (Canonical name)IN (0x0001)
                                          May 4, 2021 20:47:40.495930910 CEST8.8.8.8192.168.2.30x1ba7No error (0)prisamexico.net66.199.141.105A (IP address)IN (0x0001)
                                          May 4, 2021 20:47:40.685180902 CEST8.8.8.8192.168.2.30xde31No error (0)mail.prisamexico.netprisamexico.netCNAME (Canonical name)IN (0x0001)
                                          May 4, 2021 20:47:40.685180902 CEST8.8.8.8192.168.2.30xde31No error (0)prisamexico.net66.199.141.105A (IP address)IN (0x0001)

                                          SMTP Packets

                                          TimestampSource PortDest PortSource IPDest IPCommands
                                          May 4, 2021 20:47:41.093657017 CEST5874973766.199.141.105192.168.2.3220-r130.websiteservername.com ESMTP Exim 4.94.2 #2 Tue, 04 May 2021 13:47:41 -0500
                                          220-We do not authorize the use of this system to transport unsolicited,
                                          220 and/or bulk e-mail.
                                          May 4, 2021 20:47:41.093995094 CEST49737587192.168.2.366.199.141.105EHLO 888683
                                          May 4, 2021 20:47:41.229269028 CEST5874973766.199.141.105192.168.2.3250-r130.websiteservername.com Hello 888683 [84.17.52.3]
                                          250-SIZE 52428800
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-PIPE_CONNECT
                                          250-AUTH PLAIN LOGIN
                                          250-STARTTLS
                                          250 HELP
                                          May 4, 2021 20:47:41.229557991 CEST49737587192.168.2.366.199.141.105STARTTLS
                                          May 4, 2021 20:47:41.365915060 CEST5874973766.199.141.105192.168.2.3220 TLS go ahead

                                          Code Manipulations

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          Analysis Process: 7XCBqj5HLqHcRlU.exe PID: 5452 Parent PID: 5764

                                          General

                                          Start time:20:45:48
                                          Start date:04/05/2021
                                          Path:C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exe'
                                          Imagebase:0x730000
                                          File size:1027584 bytes
                                          MD5 hash:09A25586D2EAF5E8C3A5DF5557BAD218
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.241704135.0000000003DFF000.00000004.00000001.sdmp, Author: Joe Security
                                          Reputation:low

                                          Chronological Activities

                                          Analysis Process: 7XCBqj5HLqHcRlU.exe PID: 5628 Parent PID: 5452

                                          General

                                          Start time:20:46:00
                                          Start date:04/05/2021
                                          Path:C:\Users\user\Desktop\7XCBqj5HLqHcRlU.exe
                                          Wow64 process (32bit):true
                                          Commandline:{path}
                                          Imagebase:0x510000
                                          File size:1027584 bytes
                                          MD5 hash:09A25586D2EAF5E8C3A5DF5557BAD218
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.471184243.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.476530485.0000000002A01000.00000004.00000001.sdmp, Author: Joe Security
                                          Reputation:low

                                          Chronological Activities

                                          Disassembly

                                          Code Analysis

                                          Reset < >

                                            Analysis Process: 7XCBqj5HLqHcRlU.exe PID: 5452 Parent PID: 5764 7XCBqj5HLqHcRlU.exeCOMMON

                                            Executed Functions

                                            Function 010696F0, Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 01069936
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.234571532.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 93967845634e5ee13e66d5f888558b1e9d1dff65a8e1e0dc1ab85681b586c384
                                            • Instruction ID: 1a2438687397c242822f78a59402d409b34a4b371143f8a1ea4f415173bb03f8
                                            • Opcode Fuzzy Hash: 93967845634e5ee13e66d5f888558b1e9d1dff65a8e1e0dc1ab85681b586c384
                                            • Instruction Fuzzy Hash: 7B715670A00B058FDB64DF2AD14479ABBF5BF88208F00892DE58ACBB40DB34E905CF91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0106C69C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0106FD6A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.234571532.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 24dd14f11c6329a90e66e2f4527d6f58daa4811024cb4d4541f3fb1a3683b913
                                            • Instruction ID: 25a46c79bc9b24b7b54bf41600b71d9c6220615d72bb2e9e0a5eedfdd93d3369
                                            • Opcode Fuzzy Hash: 24dd14f11c6329a90e66e2f4527d6f58daa4811024cb4d4541f3fb1a3683b913
                                            • Instruction Fuzzy Hash: 1751C0B1D003099FDB14DF9AD994ADEBFB5BF48314F24852AE819AB210D774A845CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0106FC4F, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0106FD6A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.234571532.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 438b27a774966a712b10a73f5cb25f7a81a3fd0f5ad89edbaff9a138605a3fe9
                                            • Instruction ID: aa44f77e0b541697ed78d68e20b028feb911e8868918dfd4a39e894154b94b8e
                                            • Opcode Fuzzy Hash: 438b27a774966a712b10a73f5cb25f7a81a3fd0f5ad89edbaff9a138605a3fe9
                                            • Instruction Fuzzy Hash: 9E51C0B5D003099FDF14CFA9D994ADEBFB6BF48314F24852AE819AB210D774A845CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01065364, Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 01065421
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.234571532.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: abe52aed69238f16fa309581a90404888b51842aefbb95d5747438ffe4aaaa7b
                                            • Instruction ID: 7b0bed00c8a94bdd2a8eb46deb29fb5f1ea0df70c0f4bb8a51191cc2eaa75520
                                            • Opcode Fuzzy Hash: abe52aed69238f16fa309581a90404888b51842aefbb95d5747438ffe4aaaa7b
                                            • Instruction Fuzzy Hash: 8D411570D04218CFDF24DFA9C8447CEBBB5BF49309F2480A9D558AB251DB756946CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01063DE4, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 01065421
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.234571532.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: e0620a37eedf527afe984f34a5bb5726b927bb34b8e257a1240a6bafb72662ac
                                            • Instruction ID: ed326faf23368e6207577ad39fbed67081242a9cdf3dad694d9a0a42c79fcc70
                                            • Opcode Fuzzy Hash: e0620a37eedf527afe984f34a5bb5726b927bb34b8e257a1240a6bafb72662ac
                                            • Instruction Fuzzy Hash: 934102B0D04318CFDF24DFA9C884B9EBBB5BF49308F2480A9D558AB251DB756945CF90
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0106B21C, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0106BBD6,?,?,?,?,?), ref: 0106BC97
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.234571532.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: af6a12ae56b7b1bc69f94ea66afc4ed74600d305ca3d0aca4bd0e7603f95765f
                                            • Instruction ID: 00e674f1b6471acdd4d1a1d7bcc38c64edd616a55f5d47079f6e5ddb4f8fc01f
                                            • Opcode Fuzzy Hash: af6a12ae56b7b1bc69f94ea66afc4ed74600d305ca3d0aca4bd0e7603f95765f
                                            • Instruction Fuzzy Hash: D721E5B59002489FDB10CF9AD984ADEBBF8EB48324F14841AE954A3311D774A954CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0106BC08, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0106BBD6,?,?,?,?,?), ref: 0106BC97
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.234571532.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 843c95193b24e93cff584fae6f1a186bfc0ab6e58ec29a6acf900cd67b1cddb5
                                            • Instruction ID: ba004b3d020ba16008f65f74ccff7b195122c25a417078d4ba791485d1a3957b
                                            • Opcode Fuzzy Hash: 843c95193b24e93cff584fae6f1a186bfc0ab6e58ec29a6acf900cd67b1cddb5
                                            • Instruction Fuzzy Hash: CF21E3B5D002489FDB10CFA9D984BDEBBF8AB48324F15841AE954A7310D778A944CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01069148, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010699B1,00000800,00000000,00000000), ref: 01069BC2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.234571532.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: f92988146727acd847ee2e93c8c628b0ddd2129b3c26d00a53e3d02f5f403c0a
                                            • Instruction ID: 5118a678b299ec921c433cb888c610425287b8c15d6b93ff8b44db0816d59447
                                            • Opcode Fuzzy Hash: f92988146727acd847ee2e93c8c628b0ddd2129b3c26d00a53e3d02f5f403c0a
                                            • Instruction Fuzzy Hash: 261126B6D003488FDB10DF9AD944BDEFBF8EB88324F54842AE555A7600C374A945CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01069B50, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010699B1,00000800,00000000,00000000), ref: 01069BC2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.234571532.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: a75d02acedcce9a310656a53c60479320d80d4e889a662fe3d55a743f619c49e
                                            • Instruction ID: c6283bf443c3ddc8ee1004c2a2a2d9c42c20e45a801a6ada213a2ac8eb8f4a4e
                                            • Opcode Fuzzy Hash: a75d02acedcce9a310656a53c60479320d80d4e889a662fe3d55a743f619c49e
                                            • Instruction Fuzzy Hash: AD1114B68002498FDB10CF9AC944ADEFBF8EB88324F15846AE555A7600C378A545CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 010698D0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 01069936
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.234571532.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 966418b2c440d4c3f9e1b21ee58657087b57f490d572cf540f58b4854e475d39
                                            • Instruction ID: c8c3101791d95e5f84ea455dc02a5fbe70c4d443204606c8d65436e77bee09cf
                                            • Opcode Fuzzy Hash: 966418b2c440d4c3f9e1b21ee58657087b57f490d572cf540f58b4854e475d39
                                            • Instruction Fuzzy Hash: 6311E0B5C006498FDB14DF9AC844BDEFBF8AB88224F14846AD569B7700D378A545CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FED4C4, Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.234253598.0000000000FED000.00000040.00000001.sdmp, Offset: 00FED000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9bdaaf0fcd45be08146a482908f61f4fdc325dbe542ce69b1198da9e0a7c8a29
                                            • Instruction ID: c575f161230c3bb44da3bc39b3b42536b06bfd16105003a9fd6505840bc37a49
                                            • Opcode Fuzzy Hash: 9bdaaf0fcd45be08146a482908f61f4fdc325dbe542ce69b1198da9e0a7c8a29
                                            • Instruction Fuzzy Hash: 452125B2904380DFCB05DF14D9C0B26BF65FB98328F288569E9054B646C336D856EBA2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FFD01C, Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.234275255.0000000000FFD000.00000040.00000001.sdmp, Offset: 00FFD000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dbc0df3f9d856ce355133c597869762c82610de10b7565c0e87ccb9038b44be9
                                            • Instruction ID: 080b7b628d6f668e95965d8b40629cb5d9e6a82fd5ffda620b48fd676b9e0d28
                                            • Opcode Fuzzy Hash: dbc0df3f9d856ce355133c597869762c82610de10b7565c0e87ccb9038b44be9
                                            • Instruction Fuzzy Hash: 8021F875504248DFDB14DF14D4C0B26BB66FF84328F24C569EA094B25ACB36D847DA61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FFD1D4, Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.234275255.0000000000FFD000.00000040.00000001.sdmp, Offset: 00FFD000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cb0aff1a295cf458bea84d2f32f51b2d1a4daec740a75ac58c3d6f18e076a86a
                                            • Instruction ID: 4c284e099156e5c0e6449cbe154ba0c792464de97ee8f2be0214346ad445e0a3
                                            • Opcode Fuzzy Hash: cb0aff1a295cf458bea84d2f32f51b2d1a4daec740a75ac58c3d6f18e076a86a
                                            • Instruction Fuzzy Hash: E02107B1904208DFDB05DF14D9C0B36BB66FF84328F24C5ADEA094B256C736D846EBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FFD005, Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.234275255.0000000000FFD000.00000040.00000001.sdmp, Offset: 00FFD000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d7ceaad01fe976c3beda40b740e27915e8d29e341fae81c4fe656cb83aa42a03
                                            • Instruction ID: 3ce208ec6864a9ea29c22f9a0a6de876423fc002a9fbf277052b043c0fe2651f
                                            • Opcode Fuzzy Hash: d7ceaad01fe976c3beda40b740e27915e8d29e341fae81c4fe656cb83aa42a03
                                            • Instruction Fuzzy Hash: 002183755093C48FCB02CF24D590715BF71EF46324F28C5EAD9458B667C73A984ACB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FED4BF, Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.234253598.0000000000FED000.00000040.00000001.sdmp, Offset: 00FED000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f3b157afdbb6b8f97dc596e66e634dfcbcf822356cd4e727a4141288e46826d7
                                            • Instruction ID: e494d3d9a0d46c7d1686e19c55ea471ab405abdd8b4f96c22834d8efcc99789c
                                            • Opcode Fuzzy Hash: f3b157afdbb6b8f97dc596e66e634dfcbcf822356cd4e727a4141288e46826d7
                                            • Instruction Fuzzy Hash: 3F11D376804380CFCB15CF14D9C4B16BF71FB94328F28C6A9D8450B616C336D85ADBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FFD1CF, Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.234275255.0000000000FFD000.00000040.00000001.sdmp, Offset: 00FFD000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: aa6bdbb04686500b4f88f9c2907b36233d3495acb1519a01dcdcc91fed9e3004
                                            • Instruction ID: 7831c5ae79843b5b9135790f278f3e6e03d2e67ef76f992a34d68b2eb8ad0789
                                            • Opcode Fuzzy Hash: aa6bdbb04686500b4f88f9c2907b36233d3495acb1519a01dcdcc91fed9e3004
                                            • Instruction Fuzzy Hash: F611BE75904284DFCB05CF10C5C0B25BB62FF84324F24C6AAD9494B666C33AD84ADBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FED651, Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.234253598.0000000000FED000.00000040.00000001.sdmp, Offset: 00FED000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f804af7c340a58588817723d2fdf8ed2fcdc2af0996abe249110c464897999d0
                                            • Instruction ID: cc5fa9bad11ecc7c8fad7f5c6bdbbe007f903f14bf75f6619c138122acb33030
                                            • Opcode Fuzzy Hash: f804af7c340a58588817723d2fdf8ed2fcdc2af0996abe249110c464897999d0
                                            • Instruction Fuzzy Hash: C3012B724083849AE7209F27CC84767FBA8EF41338F188459FE0D5B682C3799C44E6B1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00FED650, Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.234253598.0000000000FED000.00000040.00000001.sdmp, Offset: 00FED000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 89882a36ef240502560005906c5a0ca5c4e1cf3f8157b19747f9bfad568162f1
                                            • Instruction ID: ad31b9f6d9102a7f7a1bd9931e759853f6a8e13dc0bef9ba34f963ef0ca28b7b
                                            • Opcode Fuzzy Hash: 89882a36ef240502560005906c5a0ca5c4e1cf3f8157b19747f9bfad568162f1
                                            • Instruction Fuzzy Hash: 19F0C2714042849AE7108F06CC84B62FFA8EB41334F18C45AED084B682C3789C44DAB1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions

                                            Function 0106E4D0, Relevance: .3, Instructions: 315COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.234571532.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6ba3332351942467c458dbde6b274a83f6bb79a751eab875ed9cb5425df34ddf
                                            • Instruction ID: 58c4654bb097a9539b683da70a982870ba29c35dcf4cf61b9c3e22d7501d143e
                                            • Opcode Fuzzy Hash: 6ba3332351942467c458dbde6b274a83f6bb79a751eab875ed9cb5425df34ddf
                                            • Instruction Fuzzy Hash: 0412B3F5419B468BE330CF65EDD818DBBA1B745328F904208D2E12BAD9D7BE154ACF84
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0106C43C, Relevance: .3, Instructions: 265COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.234571532.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5df9c746795cda433d8cf04db77e4a7fc276a2786a73d8c5142098c366a1b771
                                            • Instruction ID: ba9e19c40bfa1f49068bfae93cd3ada5943ebfdd35f2c8c2758c6680ff86e367
                                            • Opcode Fuzzy Hash: 5df9c746795cda433d8cf04db77e4a7fc276a2786a73d8c5142098c366a1b771
                                            • Instruction Fuzzy Hash: 4DA1A132E0020ACFCF15DFA8C9445DDBBF6FF84300B1581AAE985BB225EB35A945CB50
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0106E4C3, Relevance: .2, Instructions: 221COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.234571532.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 500d5a09e49bf7dc8b5418c5b8b894c8bd024c1b2877deeb563ae75cce8bf747
                                            • Instruction ID: 70187c08a5f200e3372664d379f9c204cd827cc56dc2d274fabd668c043498b3
                                            • Opcode Fuzzy Hash: 500d5a09e49bf7dc8b5418c5b8b894c8bd024c1b2877deeb563ae75cce8bf747
                                            • Instruction Fuzzy Hash: A6C118B18197468BD720DF65ECD818DBBB1BB85328F504318D2E16BAD8D7BE144ACF84
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Analysis Process: 7XCBqj5HLqHcRlU.exe PID: 5628 Parent PID: 5452 7XCBqj5HLqHcRlU.exeCOMMON

                                            Executed Functions

                                            Function 00E72268, Relevance: 2.3, APIs: 1, Instructions: 760libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.475058797.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 54ea6c70681080c76814d58752a588e4e1113ac7066965e9922bdc3a992c3f15
                                            • Instruction ID: f0e8883b6c73066f8dade210532db48be59778cb945e960f7bbc652eca4131af
                                            • Opcode Fuzzy Hash: 54ea6c70681080c76814d58752a588e4e1113ac7066965e9922bdc3a992c3f15
                                            • Instruction Fuzzy Hash: 72621931E016198FCB24EF78C9556DDB7F2AF89304F1085AAD54AAB360EF309E85CB51
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0107691F, Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 010769A0
                                            • GetCurrentThread.KERNEL32 ref: 010769DD
                                            • GetCurrentProcess.KERNEL32 ref: 01076A1A
                                            • GetCurrentThreadId.KERNEL32 ref: 01076A73
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.475491920.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: false
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 7d30b1e1fde88a9bcf8cc1b03787ca521fce5cf0136f8d18f2d3bd5a7369ee79
                                            • Instruction ID: 91b95e1ade7335e9724b292266c2348f7d0593415950d281a93a60b86a2b9d38
                                            • Opcode Fuzzy Hash: 7d30b1e1fde88a9bcf8cc1b03787ca521fce5cf0136f8d18f2d3bd5a7369ee79
                                            • Instruction Fuzzy Hash: 5F5166B49057448FEB10DFAAC5887EEBFF0EF49314F24849AE089A7360C7355884CB65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01076940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 010769A0
                                            • GetCurrentThread.KERNEL32 ref: 010769DD
                                            • GetCurrentProcess.KERNEL32 ref: 01076A1A
                                            • GetCurrentThreadId.KERNEL32 ref: 01076A73
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.475491920.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: false
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: d85fced449f6ac0379561bcc2c2546b97539c0045ac6326233f4e2437a04496f
                                            • Instruction ID: c1831adde20a2647ab8e36167adfc45231af3027b7bfb718f392266d8a0d9eb2
                                            • Opcode Fuzzy Hash: d85fced449f6ac0379561bcc2c2546b97539c0045ac6326233f4e2437a04496f
                                            • Instruction Fuzzy Hash: 5C5157B0D006498FEB14DFAAD548BEEBBF4EF88314F208499E549A7350D7355884CF65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00E7E1E8, Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.475058797.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b01dc85b01ed7ac9c3f87ac967c701af2c0a2a6df477c4ed46bc4bdd6f18b229
                                            • Instruction ID: 93564860fc81a41982e93b0621a9ae06bdc8d814b35ce3d5788521b76403b146
                                            • Opcode Fuzzy Hash: b01dc85b01ed7ac9c3f87ac967c701af2c0a2a6df477c4ed46bc4bdd6f18b229
                                            • Instruction Fuzzy Hash: 6D414371D083958FCB00DB79C8046AEBBF5AF89314F1585AAD408E7351EB789945CBE1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01075084, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 010751A2
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.475491920.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: false
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 5bd2d20a2cd13678585f43a52d70d3f5b272a428f18dd85263ca0bf3ae6cc9b5
                                            • Instruction ID: 23552981583021c50cf251959663df4dd0cd00de929b32e7543b82895e78964e
                                            • Opcode Fuzzy Hash: 5bd2d20a2cd13678585f43a52d70d3f5b272a428f18dd85263ca0bf3ae6cc9b5
                                            • Instruction Fuzzy Hash: 0351CEB1D102489FDF14CFA9D884ADEBFB1BF88314F64852AE819AB250D7749885CF94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01075090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 010751A2
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.475491920.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: false
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 9209a4c6edddae9c292623cb521618fe5b3ce71facc820e015f6660164ea2041
                                            • Instruction ID: ef62271b1cf85eb4497a673ebe6381a94188ae40df7d7f732a5ca5970f58dd71
                                            • Opcode Fuzzy Hash: 9209a4c6edddae9c292623cb521618fe5b3ce71facc820e015f6660164ea2041
                                            • Instruction Fuzzy Hash: A541D0B1D003489FDB14CFA9D884ADEBFB5BF88314F64852AE818AB210D7749885CF94
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0107779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 01077F01
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.475491920.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: false
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: 22c33418dca17274876dfad6ffcc63353f7270a1e1d09edf113a034c82571493
                                            • Instruction ID: 279a6fae808f4267e8450efa9841463a9540604e59750ee0d42e93f0a7bbf088
                                            • Opcode Fuzzy Hash: 22c33418dca17274876dfad6ffcc63353f7270a1e1d09edf113a034c82571493
                                            • Instruction Fuzzy Hash: 30410CB4D00345CFDB14CF59C488AAABBF5FF88314F148899E559A7311D774A845CFA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0107C109, Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlEncodePointer.NTDLL(00000000), ref: 0107C192
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.475491920.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: false
                                            Similarity
                                            • API ID: EncodePointer
                                            • String ID:
                                            • API String ID: 2118026453-0
                                            • Opcode ID: 55fba53977b03d76b8d0b09a8363c5ab6edaa7b515522ff445d5efd589f746bd
                                            • Instruction ID: cee0ba94cf2d09f173270ee0ee3acb2c25dd49f6fdd5a1fba9f7bdcca048da53
                                            • Opcode Fuzzy Hash: 55fba53977b03d76b8d0b09a8363c5ab6edaa7b515522ff445d5efd589f746bd
                                            • Instruction Fuzzy Hash: 6731F2B0C043868FEB21DF69E5493EEBFF0EB06318F2484AAD489A7642C7395409CF55
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01076B63, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01076BEF
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.475491920.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: false
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: e675575681ecad41243f9c4eb4e800f37ed059e05e0c68a665469a1084786de2
                                            • Instruction ID: 91afe82c924dc9ae40ca3967f41a7b4e6fb00d983fb54b5ed5aa10530338c0fd
                                            • Opcode Fuzzy Hash: e675575681ecad41243f9c4eb4e800f37ed059e05e0c68a665469a1084786de2
                                            • Instruction Fuzzy Hash: 2621E2B5D002489FDB10CFA9D984AEEBFF4EB48324F14845AE955A7310D374A954CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01076B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01076BEF
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.475491920.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: false
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 14b0d0f34b9a548c5c698df1e64434518d7b49e5d07fdbcb13a923c06b544b0c
                                            • Instruction ID: 8e9274fc69a1111a2914ce6dc7bcc9037d37e4603fda13527c0f7fce33705103
                                            • Opcode Fuzzy Hash: 14b0d0f34b9a548c5c698df1e64434518d7b49e5d07fdbcb13a923c06b544b0c
                                            • Instruction Fuzzy Hash: F021F3B5D002489FDB10CFAAD984AEEFBF8FB48324F14841AE915A3310D374A944CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00E265F8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,00E27819,00000800), ref: 00E278AA
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.474914361.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 4b3cc81d2dd742d9f0916bc0c23a0f148c119be072bc9bca46b3901ffb13c68e
                                            • Instruction ID: 9bdce94dd99992d57dc66e098431514036f0992227e6cf83c17d43bbd50d6bee
                                            • Opcode Fuzzy Hash: 4b3cc81d2dd742d9f0916bc0c23a0f148c119be072bc9bca46b3901ffb13c68e
                                            • Instruction Fuzzy Hash: 431114B6D042598FCB14DFAAD848BDEFBF4EB88324F14842AE555B7200C374A945CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00E7E2BA, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                            Download Yara Rule
                                            APIs
                                            • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,00E7E23A), ref: 00E7E327
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.475058797.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                            Similarity
                                            • API ID: GlobalMemoryStatus
                                            • String ID:
                                            • API String ID: 1890195054-0
                                            • Opcode ID: bc725795ec3d1c0797da6ac2f7357e28aa70e0629ee07354ece81459e9216428
                                            • Instruction ID: 6c6a84c96e1f488252b2411ae4fdaf5a073173acfc3207ac7482ef9fc36a5ca8
                                            • Opcode Fuzzy Hash: bc725795ec3d1c0797da6ac2f7357e28aa70e0629ee07354ece81459e9216428
                                            • Instruction Fuzzy Hash: A31133B1C046599FCB10DFAAC844BDEFBB4AF48324F15856AE418B7240D378A944CFE1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00E7CD50, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                            Download Yara Rule
                                            APIs
                                            • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,00E7E23A), ref: 00E7E327
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.475058797.0000000000E70000.00000040.00000001.sdmp, Offset: 00E70000, based on PE: false
                                            Similarity
                                            • API ID: GlobalMemoryStatus
                                            • String ID:
                                            • API String ID: 1890195054-0
                                            • Opcode ID: fab9154dd74b660405b301ae1fc171350193c6ed3a6fbc58e516361e7fc3025e
                                            • Instruction ID: 06fc6307787d282812f570f206b321ed90c7ad8b1cf204d127fa558eb57a574e
                                            • Opcode Fuzzy Hash: fab9154dd74b660405b301ae1fc171350193c6ed3a6fbc58e516361e7fc3025e
                                            • Instruction Fuzzy Hash: 0B1133B1C006599BCB10DFAAC444BDEFBF4AB48324F11856AE918B7300D378A944CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0107C118, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlEncodePointer.NTDLL(00000000), ref: 0107C192
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.475491920.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: false
                                            Similarity
                                            • API ID: EncodePointer
                                            • String ID:
                                            • API String ID: 2118026453-0
                                            • Opcode ID: d76067b4dd706606d8be603b15bb6e9e45e35c9739d94931cc0867e9eaa1ffc9
                                            • Instruction ID: ba8657c49c0c7e28c39dc4930e1598bec80b6a8f2dd763554b9a9797cf77afc3
                                            • Opcode Fuzzy Hash: d76067b4dd706606d8be603b15bb6e9e45e35c9739d94931cc0867e9eaa1ffc9
                                            • Instruction Fuzzy Hash: 6011AFB1D003468FDB10EFA9D60839EBFF4FB45324F20886AD449A3601C7386504CF65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 01073300, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000), ref: 01074116
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.475491920.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: false
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: ea39025747e160bdf9c2ee1f9818da431d4e9d935a94e7c8cb01fe948749216a
                                            • Instruction ID: 018daf1316bbbf66738a44537836cf8993d15cc8efc0615df52b5249d9d38133
                                            • Opcode Fuzzy Hash: ea39025747e160bdf9c2ee1f9818da431d4e9d935a94e7c8cb01fe948749216a
                                            • Instruction Fuzzy Hash: 281143B5D002498FCB20DF9AD844BDEFBF4EB88224F10846AE959B7600D374A549CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 010740AB, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000), ref: 01074116
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.475491920.0000000001070000.00000040.00000001.sdmp, Offset: 01070000, based on PE: false
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 3e308c4de24856590537c232695e194d7d9cac6656837575abc6e207b315b290
                                            • Instruction ID: baa54913ac813ff145812f715707b94c7d9bdd3c5a81abbefaa3227c70c6bfe8
                                            • Opcode Fuzzy Hash: 3e308c4de24856590537c232695e194d7d9cac6656837575abc6e207b315b290
                                            • Instruction Fuzzy Hash: 8D1143B6D002498FDB10DFAAD444BDEFBF4EF89224F14846AD558B7600D374A549CFA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00E2A3E8, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OleInitialize.OLE32(00000000), ref: 00E2B355
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.474914361.0000000000E20000.00000040.00000001.sdmp, Offset: 00E20000, based on PE: false
                                            Similarity
                                            • API ID: Initialize
                                            • String ID:
                                            • API String ID: 2538663250-0
                                            • Opcode ID: 0cffc3a9ca2279cad31f048912fe6e0b192f948f7652e86f566c265b81e25adb
                                            • Instruction ID: 8984fc19256f305e23a77259d96f4399d688ae10d3adf35c00fe6c7c44b87196
                                            • Opcode Fuzzy Hash: 0cffc3a9ca2279cad31f048912fe6e0b192f948f7652e86f566c265b81e25adb
                                            • Instruction Fuzzy Hash: 661136B4C006488FCB10DF99D444BDEFBF8EB48324F108859E518B7200D3B4A944CFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00ECD450, Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.475214380.0000000000ECD000.00000040.00000001.sdmp, Offset: 00ECD000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: af9b8eefb9ec98e596c70357c1ffce43cf7f1b4bf4529c0b3f7284d7b92db076
                                            • Instruction ID: f0f50bf5d2dc565eb67346913258871a97cb753e1bf4d0d83bce7e99348c1a1a
                                            • Opcode Fuzzy Hash: af9b8eefb9ec98e596c70357c1ffce43cf7f1b4bf4529c0b3f7284d7b92db076
                                            • Instruction Fuzzy Hash: 6B2121B1508200DFCB08DF10DAC0F27BB65FB88328F20857CEA055A206C337E856CBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00ECD53C, Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.475214380.0000000000ECD000.00000040.00000001.sdmp, Offset: 00ECD000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3a439147b8123acc47ffa4bbf9f6bc1197319c5ca9d2414863741f6b197382a7
                                            • Instruction ID: f90878d95885811ce4e66baf539b40ef0e599da53ac8e8b11ec8d52b42cf0796
                                            • Opcode Fuzzy Hash: 3a439147b8123acc47ffa4bbf9f6bc1197319c5ca9d2414863741f6b197382a7
                                            • Instruction Fuzzy Hash: 5F21E0B1508244DFCB05DF14DAC0F26BB65FB98328F24857DE9055B246C337D856DAA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00EDD01C, Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.475251525.0000000000EDD000.00000040.00000001.sdmp, Offset: 00EDD000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 408efb14e8212e51a7b6e04edea479b089d3939ea84bc8f7b2045f2c432b6642
                                            • Instruction ID: e485ad281740f2202827c0729feed3e6c1cbc36846d7a3d15de57233fd0bea17
                                            • Opcode Fuzzy Hash: 408efb14e8212e51a7b6e04edea479b089d3939ea84bc8f7b2045f2c432b6642
                                            • Instruction Fuzzy Hash: A821F2B5508240DFCB14DF24DCC0B26BB66FBC8318F24C5AAE90A5B346C736D847CA61
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00EDD005, Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.475251525.0000000000EDD000.00000040.00000001.sdmp, Offset: 00EDD000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ac2b3ff9115c8ce15a810c0bbb6f99990fb57550aa1a2698b02a713a8ca3a4a7
                                            • Instruction ID: 1856711fdc8aeca7108ca6527ff4a1f4f7a4daa7145df6a558789805825a746b
                                            • Opcode Fuzzy Hash: ac2b3ff9115c8ce15a810c0bbb6f99990fb57550aa1a2698b02a713a8ca3a4a7
                                            • Instruction Fuzzy Hash: F221717550D3808FCB12CF24D990715BF71EB46214F28C5EBD8458B657C33A984BCB62
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00ECD44B, Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.475214380.0000000000ECD000.00000040.00000001.sdmp, Offset: 00ECD000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f3b157afdbb6b8f97dc596e66e634dfcbcf822356cd4e727a4141288e46826d7
                                            • Instruction ID: 3cf0282638baa49d4746805f27da72ef252fdc04465d6434dd7ed3db6edea2fc
                                            • Opcode Fuzzy Hash: f3b157afdbb6b8f97dc596e66e634dfcbcf822356cd4e727a4141288e46826d7
                                            • Instruction Fuzzy Hash: CC11AF76508280CFCB15CF14DAC4B16BF71FB94328F2486ADD8051B616C337D85ACBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00ECD537, Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.475214380.0000000000ECD000.00000040.00000001.sdmp, Offset: 00ECD000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f3b157afdbb6b8f97dc596e66e634dfcbcf822356cd4e727a4141288e46826d7
                                            • Instruction ID: 176013c0b1b11484c843708e8590d54e7360d00239b176fb875b94f258f83065
                                            • Opcode Fuzzy Hash: f3b157afdbb6b8f97dc596e66e634dfcbcf822356cd4e727a4141288e46826d7
                                            • Instruction Fuzzy Hash: 6111AF76504280CFCB02CF10DAC4B16BF62FB94328F2486ADD8495B616C33BD85ACBA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions