Analysis Report Minutes of meeting June 9th.exe

Overview

General Information

Sample Name:	Minutes of meeting June 9th.exe
Analysis ID:	433114
MD5:	ee4b5d2d220b8b925a84755e5ad9fa06
SHA1:	4bfa8d3abf280cca85905ce083fe4446ac1d4862
SHA256:	31e702dd0fc8ae15e8ca4991263c135709a1d64cda293a4896f89ed3b3699b77
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains very large array initializations

Injects a PE file into a foreign processes

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmp

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "jaime.navarro@crigab.cljaimecrigabmail.crigab.cl"}

Antivirus or Machine Learning detection for unpacked file

Source: 5.0.Minutes of meeting June 9th.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.2.Minutes of meeting June 9th.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: Minutes of meeting June 9th.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Minutes of meeting June 9th.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\Users\Administrator\Desktop\Client\Temp\KcyqvrOAxz\src\obj\Debug\TopLevelAssemblyTypeResolver.pdb source: Minutes of meeting June 9th.exe

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		1_2_078BF580
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		1_2_078BFE60

Networking:

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49777 -> 173.249.158.24:587

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: NEXCESS-NETUS NEXCESS-NETUS

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.4:49777 -> 173.249.158.24:587

Source: unknown

DNS traffic detected: queries for: mail.crigab.cl

Source: Minutes of meeting June 9th.exe, 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Minutes of meeting June 9th.exe, 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: Minutes of meeting June 9th.exe, 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmp	String found in binary or memory: http://HXowME.com
Source: Minutes of meeting June 9th.exe, 00000005.00000002.911271363.000000000340F000.00000004.00000001.sdmp	String found in binary or memory: http://crigab.cl
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Minutes of meeting June 9th.exe, 00000005.00000002.911271363.000000000340F000.00000004.00000001.sdmp	String found in binary or memory: http://mail.crigab.cl
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671470574.00000000027E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Minutes of meeting June 9th.exe, 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmp, Minutes of meeting June 9th.exe, 00000005.00000002.911253197.0000000003409000.00000004.00000001.sdmp	String found in binary or memory: http://wB46twoUXvvh.net
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Minutes of meeting June 9th.exe, 00000001.00000003.653038111.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html=
Source: Minutes of meeting June 9th.exe, 00000001.00000003.653038111.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlsA
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Minutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Minutes of meeting June 9th.exe, 00000001.00000003.653986511.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp, Minutes of meeting June 9th.exe, 00000001.00000003.654058805.0000000005DFB000.00000004.00000001.sdmp, Minutes of meeting June 9th.exe, 00000001.00000003.654314324.0000000005DFB000.00000004.00000001.sdmp, Minutes of meeting June 9th.exe, 00000001.00000003.654630636.0000000005DFB000.00000004.00000001.sdmp, Minutes of meeting June 9th.exe, 00000001.00000003.654283240.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Minutes of meeting June 9th.exe, 00000001.00000003.653956331.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Minutes of meeting June 9th.exe, 00000001.00000003.653986511.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersp
Source: Minutes of meeting June 9th.exe, 00000001.00000003.654498129.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: Minutes of meeting June 9th.exe, 00000001.00000003.654630636.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comFV
Source: Minutes of meeting June 9th.exe, 00000001.00000003.654630636.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comT.TTF~
Source: Minutes of meeting June 9th.exe, 00000001.00000003.654498129.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma2
Source: Minutes of meeting June 9th.exe, 00000001.00000003.668719407.0000000005DF0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.come.com
Source: Minutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comed
Source: Minutes of meeting June 9th.exe, 00000001.00000003.654058805.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comgreta2
Source: Minutes of meeting June 9th.exe, 00000001.00000003.654058805.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comic
Source: Minutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comico
Source: Minutes of meeting June 9th.exe, 00000001.00000003.654630636.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comiond
Source: Minutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comlicF
Source: Minutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: Minutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comoitug
Source: Minutes of meeting June 9th.exe, 00000001.00000003.653956331.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comt$
Source: Minutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comu
Source: Minutes of meeting June 9th.exe, 00000001.00000003.654498129.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comuef
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Minutes of meeting June 9th.exe, 00000001.00000003.651787789.0000000005DFE000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnU
Source: Minutes of meeting June 9th.exe, 00000001.00000003.650864868.0000000005E03000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnesy
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Minutes of meeting June 9th.exe	String found in binary or memory: http://www.google.com
Source: Minutes of meeting June 9th.exe, 00000001.00000003.653261992.0000000005DFB000.00000004.00000001.sdmp, Minutes of meeting June 9th.exe, 00000001.00000003.652457687.0000000005DFC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Minutes of meeting June 9th.exe, 00000001.00000003.652883376.0000000005DFC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/-
Source: Minutes of meeting June 9th.exe, 00000001.00000003.652883376.0000000005DFC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/2
Source: Minutes of meeting June 9th.exe, 00000001.00000003.653099782.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/;
Source: Minutes of meeting June 9th.exe, 00000001.00000003.652457687.0000000005DFC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Hb
Source: Minutes of meeting June 9th.exe, 00000001.00000003.652457687.0000000005DFC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/V
Source: Minutes of meeting June 9th.exe, 00000001.00000003.652283694.0000000005DF4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/W
Source: Minutes of meeting June 9th.exe, 00000001.00000003.653261992.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Minutes of meeting June 9th.exe, 00000001.00000003.652701098.0000000005DFC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/-
Source: Minutes of meeting June 9th.exe, 00000001.00000003.652701098.0000000005DFC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/V
Source: Minutes of meeting June 9th.exe, 00000001.00000003.653099782.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/~
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Minutes of meeting June 9th.exe, 00000001.00000003.653910343.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Minutes of meeting June 9th.exe, 00000001.00000003.653822753.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deR
Source: Minutes of meeting June 9th.exe, 00000001.00000003.653822753.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deos
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: Minutes of meeting June 9th.exe	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Minutes of meeting June 9th.exe, 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: Minutes of meeting June 9th.exe, 00000001.00000002.670227794.0000000000B2B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

.NET source code contains very large array initializations

Source: 5.0.Minutes of meeting June 9th.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b803333A8u002dEFF5u002d4E80u002d99CEu002d4C157E275DB7u007d/F3C892EFu002d20E2u002d40F9u002dA4B1u002d80E514D3763B.cs	Large array initialization: .cctor: array initializer size 11932
Source: 5.2.Minutes of meeting June 9th.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b803333A8u002dEFF5u002d4E80u002d99CEu002d4C157E275DB7u007d/F3C892EFu002d20E2u002d40F9u002dA4B1u002d80E514D3763B.cs	Large array initialization: .cctor: array initializer size 11932

Detected potential crypto function

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_00D9C2B0	1_2_00D9C2B0
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_00D999A0	1_2_00D999A0
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B93B8	1_2_078B93B8
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B9B40	1_2_078B9B40
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078BA140	1_2_078BA140
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B0040	1_2_078B0040
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B6F25	1_2_078B6F25
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B6F50	1_2_078B6F50
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B4D01	1_2_078B4D01
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078BA530	1_2_078BA530
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B0BA8	1_2_078B0BA8
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B0BA0	1_2_078B0BA0
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B43B8	1_2_078B43B8
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B43B0	1_2_078B43B0
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B4368	1_2_078B4368
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B51E1	1_2_078B51E1
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B6891	1_2_078B6891
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B68A0	1_2_078B68A0
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B003F	1_2_078B003F
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AFB581	1_2_07AFB581
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AFBF29	1_2_07AFBF29
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AFAE08	1_2_07AFAE08
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AF7CB0	1_2_07AF7CB0
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AFE7A0	1_2_07AFE7A0
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AF7700	1_2_07AF7700
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AF76F1	1_2_07AF76F1
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AF0287	1_2_07AF0287
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AF0290	1_2_07AF0290
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AFF2F8	1_2_07AFF2F8
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AFA1D7	1_2_07AFA1D7
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AF0006	1_2_07AF0006
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AF0040	1_2_07AF0040
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AFAE03	1_2_07AFAE03
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AFEE78	1_2_07AFEE78
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AF7CAF	1_2_07AF7CAF
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AFDC18	1_2_07AFDC18
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AFB9B8	1_2_07AFB9B8
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07B03290	1_2_07B03290
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07B059C8	1_2_07B059C8
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07B060E0	1_2_07B060E0
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07B0B958	1_2_07B0B958
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07B0C8A0	1_2_07B0C8A0
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_00252050	1_2_00252050
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 5_2_00402296	5_2_00402296
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 5_2_010E3D20	5_2_010E3D20
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 5_2_010E9BA0	5_2_010E9BA0
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 5_2_010EF240	5_2_010EF240
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 5_2_010EAD58	5_2_010EAD58
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 5_2_010EACA9	5_2_010EACA9
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 5_2_010ED0A0	5_2_010ED0A0
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 5_2_011B08E8	5_2_011B08E8
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 5_2_011B2B84	5_2_011B2B84
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 5_2_011B5FB0	5_2_011B5FB0
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 5_2_011B8239	5_2_011B8239
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 5_2_011B8718	5_2_011B8718
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 5_2_00962050	5_2_00962050

PE file contains strange resources

Source: Minutes of meeting June 9th.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RfuYgTevtBVukb.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: Minutes of meeting June 9th.exe, 00000001.00000003.662013488.0000000005B55000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameTopLevelAssemblyTypeResolver.exe6 vs Minutes of meeting June 9th.exe
Source: Minutes of meeting June 9th.exe, 00000001.00000002.681736034.000000000D8C0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs Minutes of meeting June 9th.exe
Source: Minutes of meeting June 9th.exe, 00000001.00000002.681736034.000000000D8C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Minutes of meeting June 9th.exe
Source: Minutes of meeting June 9th.exe, 00000001.00000002.678533661.0000000007680000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs Minutes of meeting June 9th.exe
Source: Minutes of meeting June 9th.exe, 00000001.00000002.670227794.0000000000B2B000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Minutes of meeting June 9th.exe
Source: Minutes of meeting June 9th.exe, 00000001.00000002.681406474.0000000007C80000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameKygo.dll* vs Minutes of meeting June 9th.exe
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671900306.00000000037E1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamejJgkoYsZmrwzEQxTTIcpKLqDdgl.exe4 vs Minutes of meeting June 9th.exe
Source: Minutes of meeting June 9th.exe, 00000001.00000002.681584092.000000000D7D0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs Minutes of meeting June 9th.exe
Source: Minutes of meeting June 9th.exe, 00000001.00000002.681334375.0000000007BF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Minutes of meeting June 9th.exe
Source: Minutes of meeting June 9th.exe	Binary or memory string: OriginalFilename vs Minutes of meeting June 9th.exe
Source: Minutes of meeting June 9th.exe, 00000005.00000002.909165017.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamejJgkoYsZmrwzEQxTTIcpKLqDdgl.exe4 vs Minutes of meeting June 9th.exe
Source: Minutes of meeting June 9th.exe, 00000005.00000000.667890199.0000000000AB6000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameTopLevelAssemblyTypeResolver.exe6 vs Minutes of meeting June 9th.exe
Source: Minutes of meeting June 9th.exe, 00000005.00000002.909841404.00000000010D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs Minutes of meeting June 9th.exe
Source: Minutes of meeting June 9th.exe, 00000005.00000002.910078068.000000000129A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Minutes of meeting June 9th.exe
Source: Minutes of meeting June 9th.exe, 00000005.00000002.909466399.0000000000EF8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Minutes of meeting June 9th.exe
Source: Minutes of meeting June 9th.exe, 00000005.00000002.909867356.00000000010F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Minutes of meeting June 9th.exe
Source: Minutes of meeting June 9th.exe	Binary or memory string: OriginalFilenameTopLevelAssemblyTypeResolver.exe6 vs Minutes of meeting June 9th.exe

Uses 32bit PE files

Source: Minutes of meeting June 9th.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 5.0.Minutes of meeting June 9th.exe.400000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.Minutes of meeting June 9th.exe.400000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.Minutes of meeting June 9th.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.Minutes of meeting June 9th.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/4@2/1

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

File created: C:\Users\user\AppData\Roaming\RfuYgTevtBVukb.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5816:120:WilError_01
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Mutant created: \Sessions\1\BaseNamedObjects\qIhLjPLhpIZOsEXARyaaScPRQHt

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

File created: C:\Users\user\AppData\Local\Temp\tmp1C49.tmp

Jump to behavior

Source: Minutes of meeting June 9th.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

File read: C:\Users\user\Desktop\Minutes of meeting June 9th.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Minutes of meeting June 9th.exe 'C:\Users\user\Desktop\Minutes of meeting June 9th.exe'
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RfuYgTevtBVukb' /XML 'C:\Users\user\AppData\Local\Temp\tmp1C49.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process created: C:\Users\user\Desktop\Minutes of meeting June 9th.exe C:\Users\user\Desktop\Minutes of meeting June 9th.exe
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RfuYgTevtBVukb' /XML 'C:\Users\user\AppData\Local\Temp\tmp1C49.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process created: C:\Users\user\Desktop\Minutes of meeting June 9th.exe C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Jump to behavior

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Minutes of meeting June 9th.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Minutes of meeting June 9th.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Minutes of meeting June 9th.exe

Static file information: File size 1552896 > 1048576

Source: Minutes of meeting June 9th.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x152a00

Source: Minutes of meeting June 9th.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: Minutes of meeting June 9th.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\Administrator\Desktop\Client\Temp\KcyqvrOAxz\src\obj\Debug\TopLevelAssemblyTypeResolver.pdb source: Minutes of meeting June 9th.exe

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_002573C3 push 0000006Fh; ret	1_2_002573CE
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B1D16 push es; retf	1_2_078B1D17
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B316D pushfd ; retf 0007h	1_2_078B31C9
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AF6659 push ds; retf 0007h	1_2_07AF665A
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AF5E01 push ss; retf 0007h	1_2_07AF5E02
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AF5E47 push ss; retf 0007h	1_2_07AF5E4A
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AF5DC0 push ss; retf 0007h	1_2_07AF5DC2
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07B0AA30 push dword ptr [eax+edx-75h]; iretd	1_2_07B0AAA2
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 5_2_009673C3 push 0000006Fh; ret	5_2_009673CE

Source: initial sample	Static PE information: section name: .text entropy: 7.39720072133
Source: initial sample	Static PE information: section name: .text entropy: 7.39720072133

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

File created: C:\Users\user\AppData\Roaming\RfuYgTevtBVukb.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RfuYgTevtBVukb' /XML 'C:\Users\user\AppData\Local\Temp\tmp1C49.tmp'

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Minutes of meeting June 9th.exe PID: 7048, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 239844	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 239719	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 239610	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 239485	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 239344	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 239235	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 239125	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 239016	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 238891	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 238750	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 238641	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 238453	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 238344	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 238219	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 238110	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 237953	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 237828	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 237719	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 237610	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 237453	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 237344	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 237235	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 237094	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 236985	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 236860	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 236735	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 236594	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 236469	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 236360	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 236203	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 236078	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 235969	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 235860	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 235735	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 235610	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 235453	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 235344	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 235235	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 235094	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 234985	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 234875	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 234766	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 234594	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 234485	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 234344	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 234235	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 234094	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233953	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233844	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233719	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233610	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233500	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233391	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233282	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233157	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233047	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 232938	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Window / User API: threadDelayed 1001	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Window / User API: threadDelayed 7186	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Window / User API: threadDelayed 856	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Window / User API: threadDelayed 8958	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -239844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -239719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -239610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -239485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -239344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -239235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -239125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -239016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -238891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -238750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -238641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -238453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -238344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -238219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -238110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -237953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -237828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -237719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -237610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -237453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -237344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -237235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -237094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -236985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -236860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -236735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -236594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -236469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -236360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -236203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -236078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -235969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -235860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -235735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -235610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -235453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -235344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -235235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -235094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -234985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -234875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -234766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7052	Thread sleep time: -101632s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -234594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -234485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -234344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -234235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -234094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -233953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -233844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -233719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -233610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -233500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -233391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -233282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -233157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -233047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -232938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 6372	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 6580	Thread sleep count: 856 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 6580	Thread sleep count: 8958 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 6372	Thread sleep count: 43 > 30	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 239844	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 239719	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 239610	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 239485	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 239344	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 239235	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 239125	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 239016	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 238891	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 238750	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 238641	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 238453	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 238344	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 238219	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 238110	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 237953	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 237828	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 237719	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 237610	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 237453	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 237344	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 237235	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 237094	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 236985	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 236860	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 236735	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 236594	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 236469	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 236360	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 236203	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 236078	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 235969	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 235860	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 235735	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 235610	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 235453	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 235344	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 235235	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 235094	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 234985	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 234875	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 234766	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 101632	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 234594	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 234485	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 234344	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 234235	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 234094	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233953	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233844	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233719	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233610	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233500	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233391	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233282	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233157	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233047	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 232938	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: Minutes of meeting June 9th.exe, 00000005.00000002.910178371.0000000001308000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

Code function: 5_2_010ECCF0 LdrInitializeThunk,

5_2_010ECCF0

Enables debug privileges

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

Memory written: C:\Users\user\Desktop\Minutes of meeting June 9th.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RfuYgTevtBVukb' /XML 'C:\Users\user\AppData\Local\Temp\tmp1C49.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process created: C:\Users\user\Desktop\Minutes of meeting June 9th.exe C:\Users\user\Desktop\Minutes of meeting June 9th.exe			Jump to behavior

Source: Minutes of meeting June 9th.exe, 00000005.00000002.910411853.00000000018F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Minutes of meeting June 9th.exe, 00000005.00000002.910411853.00000000018F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Minutes of meeting June 9th.exe, 00000005.00000002.910411853.00000000018F0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Minutes of meeting June 9th.exe, 00000005.00000002.910411853.00000000018F0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Users\user\Desktop\Minutes of meeting June 9th.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Users\user\Desktop\Minutes of meeting June 9th.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000005.00000002.909165017.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.668170941.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.671900306.00000000037E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.Minutes of meeting June 9th.exe.3891e68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Minutes of meeting June 9th.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Minutes of meeting June 9th.exe.3891e68.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Minutes of meeting June 9th.exe.400000.0.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Source: Yara match	File source: 00000005.00000002.909165017.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.668170941.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.671900306.00000000037E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Minutes of meeting June 9th.exe PID: 5832, type: MEMORY
Source: Yara match	File source: Process Memory Space: Minutes of meeting June 9th.exe PID: 7048, type: MEMORY
Source: Yara match	File source: 1.2.Minutes of meeting June 9th.exe.3891e68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Minutes of meeting June 9th.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Minutes of meeting June 9th.exe.3891e68.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Minutes of meeting June 9th.exe.400000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Minutes of meeting June 9th.exe PID: 5832, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000005.00000002.909165017.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.668170941.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.671900306.00000000037E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.Minutes of meeting June 9th.exe.3891e68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Minutes of meeting June 9th.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Minutes of meeting June 9th.exe.3891e68.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Minutes of meeting June 9th.exe.400000.0.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Source: Yara match	File source: 00000005.00000002.909165017.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.668170941.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.671900306.00000000037E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Minutes of meeting June 9th.exe PID: 5832, type: MEMORY
Source: Yara match	File source: Process Memory Space: Minutes of meeting June 9th.exe PID: 7048, type: MEMORY
Source: Yara match	File source: 1.2.Minutes of meeting June 9th.exe.3891e68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Minutes of meeting June 9th.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Minutes of meeting June 9th.exe.3891e68.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Minutes of meeting June 9th.exe.400000.0.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
173.249.158.24	crigab.cl	United States		36444	NEXCESS-NETUS	true

Contacted Domains

Name	IP	Active
crigab.cl	173.249.158.24	true
mail.crigab.cl	unknown	unknown

AV Detection:

Found malware configuration

Source: 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmp

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "jaime.navarro@crigab.cljaimecrigabmail.crigab.cl"}

Antivirus or Machine Learning detection for unpacked file

Source: 5.0.Minutes of meeting June 9th.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen8
Source: 5.2.Minutes of meeting June 9th.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: Minutes of meeting June 9th.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Minutes of meeting June 9th.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: C:\Users\Administrator\Desktop\Client\Temp\KcyqvrOAxz\src\obj\Debug\TopLevelAssemblyTypeResolver.pdb source: Minutes of meeting June 9th.exe

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		1_2_078BF580
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h		1_2_078BFE60

Networking:

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49777 -> 173.249.158.24:587

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: NEXCESS-NETUS NEXCESS-NETUS

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.4:49777 -> 173.249.158.24:587

Source: unknown

DNS traffic detected: queries for: mail.crigab.cl

Source: Minutes of meeting June 9th.exe, 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Minutes of meeting June 9th.exe, 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: Minutes of meeting June 9th.exe, 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmp	String found in binary or memory: http://HXowME.com
Source: Minutes of meeting June 9th.exe, 00000005.00000002.911271363.000000000340F000.00000004.00000001.sdmp	String found in binary or memory: http://crigab.cl
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Minutes of meeting June 9th.exe, 00000005.00000002.911271363.000000000340F000.00000004.00000001.sdmp	String found in binary or memory: http://mail.crigab.cl
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671470574.00000000027E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Minutes of meeting June 9th.exe, 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmp, Minutes of meeting June 9th.exe, 00000005.00000002.911253197.0000000003409000.00000004.00000001.sdmp	String found in binary or memory: http://wB46twoUXvvh.net
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Minutes of meeting June 9th.exe, 00000001.00000003.653038111.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.html=
Source: Minutes of meeting June 9th.exe, 00000001.00000003.653038111.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlsA
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Minutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Minutes of meeting June 9th.exe, 00000001.00000003.653986511.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp, Minutes of meeting June 9th.exe, 00000001.00000003.654058805.0000000005DFB000.00000004.00000001.sdmp, Minutes of meeting June 9th.exe, 00000001.00000003.654314324.0000000005DFB000.00000004.00000001.sdmp, Minutes of meeting June 9th.exe, 00000001.00000003.654630636.0000000005DFB000.00000004.00000001.sdmp, Minutes of meeting June 9th.exe, 00000001.00000003.654283240.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Minutes of meeting June 9th.exe, 00000001.00000003.653956331.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Minutes of meeting June 9th.exe, 00000001.00000003.653986511.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersp
Source: Minutes of meeting June 9th.exe, 00000001.00000003.654498129.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: Minutes of meeting June 9th.exe, 00000001.00000003.654630636.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comFV
Source: Minutes of meeting June 9th.exe, 00000001.00000003.654630636.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comT.TTF~
Source: Minutes of meeting June 9th.exe, 00000001.00000003.654498129.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma2
Source: Minutes of meeting June 9th.exe, 00000001.00000003.668719407.0000000005DF0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.come.com
Source: Minutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comed
Source: Minutes of meeting June 9th.exe, 00000001.00000003.654058805.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comgreta2
Source: Minutes of meeting June 9th.exe, 00000001.00000003.654058805.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comic
Source: Minutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comico
Source: Minutes of meeting June 9th.exe, 00000001.00000003.654630636.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comiond
Source: Minutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comlicF
Source: Minutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: Minutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comoitug
Source: Minutes of meeting June 9th.exe, 00000001.00000003.653956331.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comt$
Source: Minutes of meeting June 9th.exe, 00000001.00000003.655341161.0000000005DFA000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comu
Source: Minutes of meeting June 9th.exe, 00000001.00000003.654498129.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comuef
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Minutes of meeting June 9th.exe, 00000001.00000003.651787789.0000000005DFE000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnU
Source: Minutes of meeting June 9th.exe, 00000001.00000003.650864868.0000000005E03000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnesy
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Minutes of meeting June 9th.exe	String found in binary or memory: http://www.google.com
Source: Minutes of meeting June 9th.exe, 00000001.00000003.653261992.0000000005DFB000.00000004.00000001.sdmp, Minutes of meeting June 9th.exe, 00000001.00000003.652457687.0000000005DFC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Minutes of meeting June 9th.exe, 00000001.00000003.652883376.0000000005DFC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/-
Source: Minutes of meeting June 9th.exe, 00000001.00000003.652883376.0000000005DFC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/2
Source: Minutes of meeting June 9th.exe, 00000001.00000003.653099782.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/;
Source: Minutes of meeting June 9th.exe, 00000001.00000003.652457687.0000000005DFC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Hb
Source: Minutes of meeting June 9th.exe, 00000001.00000003.652457687.0000000005DFC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/V
Source: Minutes of meeting June 9th.exe, 00000001.00000003.652283694.0000000005DF4000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/W
Source: Minutes of meeting June 9th.exe, 00000001.00000003.653261992.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: Minutes of meeting June 9th.exe, 00000001.00000003.652701098.0000000005DFC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/-
Source: Minutes of meeting June 9th.exe, 00000001.00000003.652701098.0000000005DFC000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/V
Source: Minutes of meeting June 9th.exe, 00000001.00000003.653099782.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/~
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Minutes of meeting June 9th.exe, 00000001.00000003.653910343.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Minutes of meeting June 9th.exe, 00000001.00000003.653822753.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deR
Source: Minutes of meeting June 9th.exe, 00000001.00000003.653822753.0000000005DFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deos
Source: Minutes of meeting June 9th.exe, 00000001.00000002.675580325.0000000005EE0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: Minutes of meeting June 9th.exe	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Minutes of meeting June 9th.exe, 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: Minutes of meeting June 9th.exe, 00000001.00000002.670227794.0000000000B2B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

.NET source code contains very large array initializations

Source: 5.0.Minutes of meeting June 9th.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b803333A8u002dEFF5u002d4E80u002d99CEu002d4C157E275DB7u007d/F3C892EFu002d20E2u002d40F9u002dA4B1u002d80E514D3763B.cs	Large array initialization: .cctor: array initializer size 11932
Source: 5.2.Minutes of meeting June 9th.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b803333A8u002dEFF5u002d4E80u002d99CEu002d4C157E275DB7u007d/F3C892EFu002d20E2u002d40F9u002dA4B1u002d80E514D3763B.cs	Large array initialization: .cctor: array initializer size 11932

Detected potential crypto function

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_00D9C2B0	1_2_00D9C2B0
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_00D999A0	1_2_00D999A0
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B93B8	1_2_078B93B8
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B9B40	1_2_078B9B40
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078BA140	1_2_078BA140
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B0040	1_2_078B0040
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B6F25	1_2_078B6F25
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B6F50	1_2_078B6F50
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B4D01	1_2_078B4D01
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078BA530	1_2_078BA530
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B0BA8	1_2_078B0BA8
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B0BA0	1_2_078B0BA0
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B43B8	1_2_078B43B8
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B43B0	1_2_078B43B0
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B4368	1_2_078B4368
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B51E1	1_2_078B51E1
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B6891	1_2_078B6891
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B68A0	1_2_078B68A0
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B003F	1_2_078B003F
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AFB581	1_2_07AFB581
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AFBF29	1_2_07AFBF29
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AFAE08	1_2_07AFAE08
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AF7CB0	1_2_07AF7CB0
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AFE7A0	1_2_07AFE7A0
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AF7700	1_2_07AF7700
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AF76F1	1_2_07AF76F1
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AF0287	1_2_07AF0287
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AF0290	1_2_07AF0290
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AFF2F8	1_2_07AFF2F8
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AFA1D7	1_2_07AFA1D7
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AF0006	1_2_07AF0006
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AF0040	1_2_07AF0040
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AFAE03	1_2_07AFAE03
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AFEE78	1_2_07AFEE78
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AF7CAF	1_2_07AF7CAF
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AFDC18	1_2_07AFDC18
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AFB9B8	1_2_07AFB9B8
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07B03290	1_2_07B03290
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07B059C8	1_2_07B059C8
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07B060E0	1_2_07B060E0
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07B0B958	1_2_07B0B958
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07B0C8A0	1_2_07B0C8A0
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_00252050	1_2_00252050
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 5_2_00402296	5_2_00402296
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 5_2_010E3D20	5_2_010E3D20
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 5_2_010E9BA0	5_2_010E9BA0
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 5_2_010EF240	5_2_010EF240
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 5_2_010EAD58	5_2_010EAD58
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 5_2_010EACA9	5_2_010EACA9
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 5_2_010ED0A0	5_2_010ED0A0
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 5_2_011B08E8	5_2_011B08E8
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 5_2_011B2B84	5_2_011B2B84
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 5_2_011B5FB0	5_2_011B5FB0
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 5_2_011B8239	5_2_011B8239
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 5_2_011B8718	5_2_011B8718
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 5_2_00962050	5_2_00962050

PE file contains strange resources

Source: Minutes of meeting June 9th.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: RfuYgTevtBVukb.exe.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: Minutes of meeting June 9th.exe, 00000001.00000003.662013488.0000000005B55000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameTopLevelAssemblyTypeResolver.exe6 vs Minutes of meeting June 9th.exe
Source: Minutes of meeting June 9th.exe, 00000001.00000002.681736034.000000000D8C0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs Minutes of meeting June 9th.exe
Source: Minutes of meeting June 9th.exe, 00000001.00000002.681736034.000000000D8C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Minutes of meeting June 9th.exe
Source: Minutes of meeting June 9th.exe, 00000001.00000002.678533661.0000000007680000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs Minutes of meeting June 9th.exe
Source: Minutes of meeting June 9th.exe, 00000001.00000002.670227794.0000000000B2B000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Minutes of meeting June 9th.exe
Source: Minutes of meeting June 9th.exe, 00000001.00000002.681406474.0000000007C80000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameKygo.dll* vs Minutes of meeting June 9th.exe
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671900306.00000000037E1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamejJgkoYsZmrwzEQxTTIcpKLqDdgl.exe4 vs Minutes of meeting June 9th.exe
Source: Minutes of meeting June 9th.exe, 00000001.00000002.681584092.000000000D7D0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs Minutes of meeting June 9th.exe
Source: Minutes of meeting June 9th.exe, 00000001.00000002.681334375.0000000007BF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Minutes of meeting June 9th.exe
Source: Minutes of meeting June 9th.exe	Binary or memory string: OriginalFilename vs Minutes of meeting June 9th.exe
Source: Minutes of meeting June 9th.exe, 00000005.00000002.909165017.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamejJgkoYsZmrwzEQxTTIcpKLqDdgl.exe4 vs Minutes of meeting June 9th.exe
Source: Minutes of meeting June 9th.exe, 00000005.00000000.667890199.0000000000AB6000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameTopLevelAssemblyTypeResolver.exe6 vs Minutes of meeting June 9th.exe
Source: Minutes of meeting June 9th.exe, 00000005.00000002.909841404.00000000010D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs Minutes of meeting June 9th.exe
Source: Minutes of meeting June 9th.exe, 00000005.00000002.910078068.000000000129A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Minutes of meeting June 9th.exe
Source: Minutes of meeting June 9th.exe, 00000005.00000002.909466399.0000000000EF8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Minutes of meeting June 9th.exe
Source: Minutes of meeting June 9th.exe, 00000005.00000002.909867356.00000000010F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Minutes of meeting June 9th.exe
Source: Minutes of meeting June 9th.exe	Binary or memory string: OriginalFilenameTopLevelAssemblyTypeResolver.exe6 vs Minutes of meeting June 9th.exe

Uses 32bit PE files

Source: Minutes of meeting June 9th.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 5.0.Minutes of meeting June 9th.exe.400000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.Minutes of meeting June 9th.exe.400000.1.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.Minutes of meeting June 9th.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.Minutes of meeting June 9th.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/4@2/1

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

File created: C:\Users\user\AppData\Roaming\RfuYgTevtBVukb.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5816:120:WilError_01
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Mutant created: \Sessions\1\BaseNamedObjects\qIhLjPLhpIZOsEXARyaaScPRQHt

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

File created: C:\Users\user\AppData\Local\Temp\tmp1C49.tmp

Jump to behavior

Source: Minutes of meeting June 9th.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

File read: C:\Users\user\Desktop\Minutes of meeting June 9th.exe:Zone.Identifier

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Minutes of meeting June 9th.exe 'C:\Users\user\Desktop\Minutes of meeting June 9th.exe'
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RfuYgTevtBVukb' /XML 'C:\Users\user\AppData\Local\Temp\tmp1C49.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process created: C:\Users\user\Desktop\Minutes of meeting June 9th.exe C:\Users\user\Desktop\Minutes of meeting June 9th.exe
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RfuYgTevtBVukb' /XML 'C:\Users\user\AppData\Local\Temp\tmp1C49.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process created: C:\Users\user\Desktop\Minutes of meeting June 9th.exe C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Jump to behavior

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Minutes of meeting June 9th.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Minutes of meeting June 9th.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Minutes of meeting June 9th.exe

Static file information: File size 1552896 > 1048576

Source: Minutes of meeting June 9th.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x152a00

Source: Minutes of meeting June 9th.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: Minutes of meeting June 9th.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Users\Administrator\Desktop\Client\Temp\KcyqvrOAxz\src\obj\Debug\TopLevelAssemblyTypeResolver.pdb source: Minutes of meeting June 9th.exe

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_002573C3 push 0000006Fh; ret	1_2_002573CE
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B1D16 push es; retf	1_2_078B1D17
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_078B316D pushfd ; retf 0007h	1_2_078B31C9
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AF6659 push ds; retf 0007h	1_2_07AF665A
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AF5E01 push ss; retf 0007h	1_2_07AF5E02
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AF5E47 push ss; retf 0007h	1_2_07AF5E4A
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07AF5DC0 push ss; retf 0007h	1_2_07AF5DC2
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 1_2_07B0AA30 push dword ptr [eax+edx-75h]; iretd	1_2_07B0AAA2
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Code function: 5_2_009673C3 push 0000006Fh; ret	5_2_009673CE

Source: initial sample	Static PE information: section name: .text entropy: 7.39720072133
Source: initial sample	Static PE information: section name: .text entropy: 7.39720072133

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

File created: C:\Users\user\AppData\Roaming\RfuYgTevtBVukb.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RfuYgTevtBVukb' /XML 'C:\Users\user\AppData\Local\Temp\tmp1C49.tmp'

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match	File source: 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Minutes of meeting June 9th.exe PID: 7048, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 239844	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 239719	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 239610	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 239485	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 239344	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 239235	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 239125	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 239016	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 238891	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 238750	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 238641	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 238453	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 238344	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 238219	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 238110	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 237953	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 237828	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 237719	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 237610	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 237453	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 237344	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 237235	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 237094	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 236985	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 236860	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 236735	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 236594	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 236469	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 236360	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 236203	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 236078	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 235969	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 235860	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 235735	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 235610	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 235453	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 235344	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 235235	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 235094	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 234985	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 234875	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 234766	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 234594	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 234485	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 234344	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 234235	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 234094	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233953	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233844	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233719	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233610	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233500	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233391	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233282	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233157	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233047	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 232938	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Window / User API: threadDelayed 1001	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Window / User API: threadDelayed 7186	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Window / User API: threadDelayed 856	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Window / User API: threadDelayed 8958	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -239844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -239719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -239610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -239485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -239344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -239235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -239125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -239016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -238891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -238750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -238641s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -238453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -238344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -238219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -238110s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -237953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -237828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -237719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -237610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -237453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -237344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -237235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -237094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -236985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -236860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -236735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -236594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -236469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -236360s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -236203s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -236078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -235969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -235860s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -235735s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -235610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -235453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -235344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -235235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -235094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -234985s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -234875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -234766s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7052	Thread sleep time: -101632s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -234594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -234485s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -234344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -234235s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -234094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -233953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -233844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -233719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -233610s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -233500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -233391s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -233282s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -233157s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -233047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 7128	Thread sleep time: -232938s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 6372	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 6580	Thread sleep count: 856 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 6580	Thread sleep count: 8958 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe TID: 6372	Thread sleep count: 43 > 30	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 239844	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 239719	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 239610	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 239485	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 239344	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 239235	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 239125	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 239016	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 238891	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 238750	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 238641	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 238453	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 238344	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 238219	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 238110	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 237953	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 237828	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 237719	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 237610	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 237453	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 237344	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 237235	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 237094	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 236985	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 236860	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 236735	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 236594	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 236469	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 236360	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 236203	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 236078	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 235969	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 235860	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 235735	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 235610	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 235453	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 235344	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 235235	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 235094	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 234985	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 234875	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 234766	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 101632	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 234594	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 234485	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 234344	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 234235	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 234094	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233953	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233844	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233719	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233610	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233500	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233391	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233282	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233157	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 233047	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 232938	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: Minutes of meeting June 9th.exe, 00000001.00000002.671554709.0000000002830000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: Minutes of meeting June 9th.exe, 00000005.00000002.910178371.0000000001308000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

Code function: 5_2_010ECCF0 LdrInitializeThunk,

5_2_010ECCF0

Enables debug privileges

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

Memory written: C:\Users\user\Desktop\Minutes of meeting June 9th.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RfuYgTevtBVukb' /XML 'C:\Users\user\AppData\Local\Temp\tmp1C49.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Process created: C:\Users\user\Desktop\Minutes of meeting June 9th.exe C:\Users\user\Desktop\Minutes of meeting June 9th.exe			Jump to behavior

Source: Minutes of meeting June 9th.exe, 00000005.00000002.910411853.00000000018F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Minutes of meeting June 9th.exe, 00000005.00000002.910411853.00000000018F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Minutes of meeting June 9th.exe, 00000005.00000002.910411853.00000000018F0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Minutes of meeting June 9th.exe, 00000005.00000002.910411853.00000000018F0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Users\user\Desktop\Minutes of meeting June 9th.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Users\user\Desktop\Minutes of meeting June 9th.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000005.00000002.909165017.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.668170941.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.671900306.00000000037E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.Minutes of meeting June 9th.exe.3891e68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Minutes of meeting June 9th.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Minutes of meeting June 9th.exe.3891e68.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Minutes of meeting June 9th.exe.400000.0.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Source: Yara match	File source: 00000005.00000002.909165017.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.668170941.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.671900306.00000000037E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Minutes of meeting June 9th.exe PID: 5832, type: MEMORY
Source: Yara match	File source: Process Memory Space: Minutes of meeting June 9th.exe PID: 7048, type: MEMORY
Source: Yara match	File source: 1.2.Minutes of meeting June 9th.exe.3891e68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Minutes of meeting June 9th.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Minutes of meeting June 9th.exe.3891e68.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Minutes of meeting June 9th.exe.400000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\Minutes of meeting June 9th.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Minutes of meeting June 9th.exe PID: 5832, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000005.00000002.909165017.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.668170941.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.671900306.00000000037E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.Minutes of meeting June 9th.exe.3891e68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Minutes of meeting June 9th.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Minutes of meeting June 9th.exe.3891e68.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Minutes of meeting June 9th.exe.400000.0.unpack, type: UNPACKEDPE

Yara detected AgentTesla

Source: Yara match	File source: 00000005.00000002.909165017.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.668170941.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.671900306.00000000037E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.910886849.00000000030B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Minutes of meeting June 9th.exe PID: 5832, type: MEMORY
Source: Yara match	File source: Process Memory Space: Minutes of meeting June 9th.exe PID: 7048, type: MEMORY
Source: Yara match	File source: 1.2.Minutes of meeting June 9th.exe.3891e68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.Minutes of meeting June 9th.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Minutes of meeting June 9th.exe.3891e68.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.Minutes of meeting June 9th.exe.400000.0.unpack, type: UNPACKEDPE

ID:	433114
Product:	CloudBasic
Start time:	10:33:15
Start date:	11.06.2021
Sample:	Minutes of meeting June 9th.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	ee4b5d2d220b8b925a84755e5ad9fa06
SHA1:	4bfa8d3abf280cca85905ce083fe4446ac1d4862
SHA256:	31e702dd0fc8ae15e8ca4991263c135709a1d64cda293a4896f89ed3b3699b77
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Minutes of meeting June 9th.exe.log	ASCII text, with CRLF line terminators	394E646B019FF472CE37EE76A647A27F	BD5872D88EE9CD2299B5F0E462C53D9E7040D6DA	2295A0B1F6ACD75FB5D038ADE65725EDF3DDF076107AEA93E4A864E35974AE2A
C:\Users\user\AppData\Local\Temp\tmp1C49.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	51A0296D50D19C44A767FB7256285438	F5D712FADFAF2975F12F55E357FDBF9DB6CC3772	1E8EED0B81F03036E346C7C79FCBE10E68D152162903F4282BB12841F64399AA
C:\Users\user\AppData\Roaming\RfuYgTevtBVukb.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	EE4B5D2D220B8B925A84755E5AD9FA06	4BFA8D3ABF280CCA85905CE083FE4446AC1D4862	31E702DD0FC8AE15E8CA4991263C135709A1D64CDA293A4896F89ED3B3699B77
C:\Users\user\AppData\Roaming\RfuYgTevtBVukb.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Analysis Report Minutes of meeting June 9th.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains