Loading ...

Play interactive tourEdit tour

Windows Analysis Report 6LS4xS6TKn.exe

Overview

General Information

Sample Name:6LS4xS6TKn.exe
Analysis ID:452668
MD5:118f0e5d6a1c91a5b820741669c495d7
SHA1:933d498bf7eea29d1dedd4b597692d62c6dc53d4
SHA256:16d0e36df66a1ba451c25a5f5c1fcccca5cb415a81cb8820f89811232c4fc3b3
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • 6LS4xS6TKn.exe (PID: 4260 cmdline: 'C:\Users\user\Desktop\6LS4xS6TKn.exe' MD5: 118F0E5D6A1C91A5B820741669C495D7)
    • schtasks.exe (PID: 4300 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yuNCTcaeT' /XML 'C:\Users\user\AppData\Local\Temp\tmp74F3.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • 6LS4xS6TKn.exe (PID: 6048 cmdline: {path} MD5: 118F0E5D6A1C91A5B820741669C495D7)
  • MLdAu.exe (PID: 6108 cmdline: 'C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe' MD5: 118F0E5D6A1C91A5B820741669C495D7)
    • schtasks.exe (PID: 3148 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yuNCTcaeT' /XML 'C:\Users\user\AppData\Local\Temp\tmpAB9F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • MLdAu.exe (PID: 1392 cmdline: {path} MD5: 118F0E5D6A1C91A5B820741669C495D7)
  • MLdAu.exe (PID: 5432 cmdline: 'C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe' MD5: 118F0E5D6A1C91A5B820741669C495D7)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "account@jiqdyi.com", "Password": "Emotion22", "Host": "mail.spamora.net"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001F.00000002.490664959.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000001F.00000002.490664959.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000017.00000002.484767094.000000000399B000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000017.00000002.484767094.000000000399B000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000000.00000002.313750267.0000000003FAB000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.6LS4xS6TKn.exe.406f160.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.6LS4xS6TKn.exe.406f160.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                31.2.MLdAu.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  31.2.MLdAu.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    23.2.MLdAu.exe.3a5f160.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 5 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 31.2.MLdAu.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "account@jiqdyi.com", "Password": "Emotion22", "Host": "mail.spamora.net"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeReversingLabs: Detection: 30%
                      Source: C:\Users\user\AppData\Roaming\yuNCTcaeT.exeReversingLabs: Detection: 30%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 6LS4xS6TKn.exeVirustotal: Detection: 37%Perma Link
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\yuNCTcaeT.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: 6LS4xS6TKn.exeJoe Sandbox ML: detected
                      Source: 31.2.MLdAu.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 6LS4xS6TKn.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: 6LS4xS6TKn.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: MLdAu.exe, 0000001F.00000002.496038864.00000000029F1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: MLdAu.exe, 0000001F.00000002.496038864.00000000029F1000.00000004.00000001.sdmpString found in binary or memory: http://BGwprh.com
                      Source: MLdAu.exe, 0000001F.00000002.496038864.00000000029F1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.310375251.0000000002F51000.00000004.00000001.sdmp, MLdAu.exe, 00000017.00000002.481802718.0000000002941000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.221602372.00000000059D5000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.221602372.00000000059D5000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coman
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.221602372.00000000059D5000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.222072740.00000000059D5000.00000004.00000001.sdmp, 6LS4xS6TKn.exe, 00000000.00000003.221373047.00000000059D5000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comva
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.225393927.00000000059CC000.00000004.00000001.sdmp, 6LS4xS6TKn.exe, 00000000.00000003.226229966.00000000059D2000.00000004.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.228775740.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.226229966.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFc9
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.226229966.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.226229966.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalicN9
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.226229966.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsd
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.226229966.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsj9
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.226229966.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.228775740.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrita
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.228620224.00000000059D8000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comiona
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.228620224.00000000059D8000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.222647223.00000000059D5000.00000004.00000001.sdmp, 6LS4xS6TKn.exe, 00000000.00000003.221602372.00000000059D5000.00000004.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.220285896.00000000059D3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.220134437.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cner
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.220502768.00000000059D3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnvan
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.220502768.00000000059D3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnze
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.227126282.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.227126282.00000000059D0000.00000004.00000001.sdmp, 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.227126282.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmS
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.223180754.00000000059C8000.00000004.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.223180754.00000000059C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/29
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.224006332.00000000059C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/N9
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.223180754.00000000059C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Q9
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.224006332.00000000059C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/X
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.223180754.00000000059C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0P
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.224006332.00000000059C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0r
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.223180754.00000000059C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/c9
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.222989262.00000000059D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/j9
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.223180754.00000000059C8000.00000004.00000001.sdmp, 6LS4xS6TKn.exe, 00000000.00000003.224006332.00000000059C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.223180754.00000000059C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/j9
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.223180754.00000000059C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ltt
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.224006332.00000000059C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/oi
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.223180754.00000000059C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s-e
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.224006332.00000000059C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.221128152.00000000059D5000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
                      Source: MLdAu.exe, 0000001F.00000002.496038864.00000000029F1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: MLdAu.exe, 0000001F.00000002.496038864.00000000029F1000.00000004.00000001.sdmpString found in binary or memory: https://login.blockchain.com/
                      Source: MLdAu.exe, 0000001F.00000002.496038864.00000000029F1000.00000004.00000001.sdmpString found in binary or memory: https://login.blockchain.com/ObjectLengthChainingModeGCMAuthTagLengthChainingModeKeyDataBlobAESMicro
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.313750267.0000000003FAB000.00000004.00000001.sdmp, MLdAu.exe, 00000017.00000002.484767094.000000000399B000.00000004.00000001.sdmp, MLdAu.exe, 0000001F.00000002.490664959.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: MLdAu.exe, 0000001F.00000002.496038864.00000000029F1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: MLdAu.exe, 00000017.00000002.480314370.0000000000D18000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeCode function: 0_2_02D222400_2_02D22240
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeCode function: 0_2_02D210180_2_02D21018
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeCode function: 0_2_02D231B00_2_02D231B0
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeCode function: 0_2_02D218200_2_02D21820
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeCode function: 0_2_02D21CA70_2_02D21CA7
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeCode function: 0_2_02D222300_2_02D22230
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeCode function: 0_2_02D240100_2_02D24010
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeCode function: 0_2_02D240200_2_02D24020
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeCode function: 0_2_02D204D10_2_02D204D1
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeCode function: 0_2_02D204E00_2_02D204E0
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeCode function: 0_2_02D24B700_2_02D24B70
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeCode function: 0_2_02D24B600_2_02D24B60
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF224023_2_00CF2240
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF101823_2_00CF1018
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF31B023_2_00CF31B0
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF182023_2_00CF1820
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF1CA723_2_00CF1CA7
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF401023_2_00CF4010
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF402023_2_00CF4020
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF223023_2_00CF2230
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF04D323_2_00CF04D3
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF04E023_2_00CF04E0
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF4B6323_2_00CF4B63
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF4B7023_2_00CF4B70
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF100723_2_00CF1007
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF31A023_2_00CF31A0
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF520023_2_00CF5200
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF521023_2_00CF5210
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF542123_2_00CF5421
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF543023_2_00CF5430
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF569923_2_00CF5699
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF56A823_2_00CF56A8
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF588823_2_00CF5888
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF587B23_2_00CF587B
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF181123_2_00CF1811
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_02823B3023_2_02823B30
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_02822B6823_2_02822B68
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_0282389A23_2_0282389A
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_0282010023_2_02820100
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_02820AE023_2_02820AE0
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_02820AF023_2_02820AF0
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_02823B2123_2_02823B21
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_02822B5823_2_02822B58
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_028238F223_2_028238F2
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_028200F023_2_028200F0
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_0282581023_2_02825810
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_0282582023_2_02825820
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_0282385823_2_02823858
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_0282060023_2_02820600
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_0282356923_2_02823569
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_04E457B423_2_04E457B4
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_04E4659023_2_04E46590
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_04E4470323_2_04E44703
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_04E4471023_2_04E44710
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_04E4271C23_2_04E4271C
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E9224025_2_00E92240
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E9101825_2_00E91018
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E931B025_2_00E931B0
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E9182025_2_00E91820
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E91CA725_2_00E91CA7
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E9402025_2_00E94020
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E9401025_2_00E94010
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E904E025_2_00E904E0
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E904D125_2_00E904D1
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E94B6025_2_00E94B60
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E94B7025_2_00E94B70
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E9521025_2_00E95210
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E9543025_2_00E95430
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E956A825_2_00E956A8
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E9588825_2_00E95888
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_02C357B425_2_02C357B4
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_02C3470325_2_02C34703
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_02C3471025_2_02C34710
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_02C3271C25_2_02C3271C
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_02C3659025_2_02C36590
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_0550745C25_2_0550745C
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 31_2_028248E031_2_028248E0
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 31_2_028248DB31_2_028248DB
                      Source: 6LS4xS6TKn.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: yuNCTcaeT.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.324715364.0000000007B90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs 6LS4xS6TKn.exe
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.312300179.000000000322D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameResource_Meter.dll> vs 6LS4xS6TKn.exe
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.313750267.0000000003FAB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameujwgwcyhtpqCnYQxVzecNLZpOeEfHt.exe4 vs 6LS4xS6TKn.exe
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.324598373.0000000007A30000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 6LS4xS6TKn.exe
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.324598373.0000000007A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 6LS4xS6TKn.exe
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.324532162.00000000079E0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 6LS4xS6TKn.exe
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.308987579.0000000000C59000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameqem4S.exe2 vs 6LS4xS6TKn.exe
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.319983939.00000000054B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 6LS4xS6TKn.exe
                      Source: 6LS4xS6TKn.exe, 00000012.00000000.308204527.0000000000959000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameqem4S.exe2 vs 6LS4xS6TKn.exe
                      Source: 6LS4xS6TKn.exeBinary or memory string: OriginalFilenameqem4S.exe2 vs 6LS4xS6TKn.exe
                      Source: 6LS4xS6TKn.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: 6LS4xS6TKn.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: yuNCTcaeT.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@13/7@0/0
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeFile created: C:\Users\user\AppData\Roaming\yuNCTcaeT.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeMutant created: \Sessions\1\BaseNamedObjects\sDHgnvwda
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4604:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1328:120:WilError_01
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeFile created: C:\Users\user\AppData\Local\Temp\tmp74F3.tmpJump to behavior
                      Source: 6LS4xS6TKn.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: 6LS4xS6TKn.exeVirustotal: Detection: 37%
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeFile read: C:\Users\user\Desktop\6LS4xS6TKn.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\6LS4xS6TKn.exe 'C:\Users\user\Desktop\6LS4xS6TKn.exe'
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yuNCTcaeT' /XML 'C:\Users\user\AppData\Local\Temp\tmp74F3.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess created: C:\Users\user\Desktop\6LS4xS6TKn.exe {path}
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe 'C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe 'C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe'
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yuNCTcaeT' /XML 'C:\Users\user\AppData\Local\Temp\tmpAB9F.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess created: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe {path}
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yuNCTcaeT' /XML 'C:\Users\user\AppData\Local\Temp\tmp74F3.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess created: C:\Users\user\Desktop\6LS4xS6TKn.exe {path}Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yuNCTcaeT' /XML 'C:\Users\user\AppData\Local\Temp\tmpAB9F.tmp'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess created: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: 6LS4xS6TKn.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: 6LS4xS6TKn.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: 6LS4xS6TKn.exe, uNotepad/Form1.cs.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeCode function: 0_2_00BD9686 push ss; ret 0_2_00BD96AD
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeCode function: 0_2_00BD73C5 push edi; retf 0_2_00BD73DB
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeCode function: 0_2_02D261EA push edx; iretd 0_2_02D261EB
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeCode function: 0_2_02D22A4F push edi; retf 0_2_02D22A51
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_005473C5 push edi; retf 23_2_005473DB
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00549686 push ss; ret 23_2_005496AD
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF61EA push edx; iretd 23_2_00CF61EB
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF6365 pushad ; iretd 23_2_00CF6372
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF6360 pushad ; iretd 23_2_00CF6362
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF632F pushad ; iretd 23_2_00CF6332
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF2A4F push edi; retf 23_2_00CF2A51
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF0FD0 push cs; iretd 23_2_00CF0FD6
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF0FE3 push es; iretd 23_2_00CF0FFE
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF0F9B push es; iretd 23_2_00CF0FA6
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF0F90 push es; iretd 23_2_00CF0F9A
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_0282994D push FFFFFF8Bh; iretd 23_2_0282994F
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_007F73C5 push edi; retf 25_2_007F73DB
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_007F9686 push ss; ret 25_2_007F96AD
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E961EA push edx; iretd 25_2_00E961EB
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E92A4F push edi; retf 25_2_00E92A51
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_02C3E3D0 push cs; retf 0002h25_2_02C3E3D2
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_02C3E331 push cs; retf 0002h25_2_02C3E332
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_02C3FA88 push ds; retf 0002h25_2_02C3FA8A
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_02C3FAB8 push ds; retf 0002h25_2_02C3FABA
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_02C3FB80 push ds; retf 0002h25_2_02C3FB82
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_02C3FB09 push ds; retf 0002h25_2_02C3FB0A
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_02C3FCC8 push ds; retf 0002h25_2_02C3FCCA
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_02C3FC6F push ds; retf 0002h25_2_02C3FC72
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_055064A0 pushad ; retf 0002h25_2_055064F2
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_05504378 push eax; retf 0002h25_2_055043CA
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_0550E502 push E802005Eh; ret 25_2_0550E509
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.70847292155
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.70847292155
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeFile created: C:\Users\user\AppData\Roaming\yuNCTcaeT.exeJump to dropped file
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeFile created: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yuNCTcaeT' /XML 'C:\Users\user\AppData\Local\Temp\tmp74F3.tmp'
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MLdAuJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MLdAuJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeFile opened: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: Process Memory Space: MLdAu.exe PID: 6108, type: MEMORY
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.310375251.0000000002F51000.00000004.00000001.sdmp, MLdAu.exe, 00000017.00000002.481802718.0000000002941000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.310375251.0000000002F51000.00000004.00000001.sdmp, MLdAu.exe, 00000017.00000002.481802718.0000000002941000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeWindow / User API: threadDelayed 956Jump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeWindow / User API: threadDelayed 8891Jump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exe TID: 5280Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exe TID: 5700Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exe TID: 1828Thread sleep time: -21213755684765971s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe TID: 5436Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe TID: 6040Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: MLdAu.exe, 00000017.00000002.481802718.0000000002941000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                      Source: MLdAu.exe, 00000017.00000002.481802718.0000000002941000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: MLdAu.exe, 00000017.00000002.481802718.0000000002941000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: MLdAu.exe, 00000017.00000002.481802718.0000000002941000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: MLdAu.exe, 00000017.00000002.481802718.0000000002941000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: MLdAu.exe, 00000017.00000002.481802718.0000000002941000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: MLdAu.exe, 00000017.00000002.481802718.0000000002941000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: MLdAu.exe, 00000017.00000002.481802718.0000000002941000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: MLdAu.exe, 00000017.00000002.481802718.0000000002941000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeMemory written: C:\Users\user\Desktop\6LS4xS6TKn.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeMemory written: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yuNCTcaeT' /XML 'C:\Users\user\AppData\Local\Temp\tmp74F3.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess created: C:\Users\user\Desktop\6LS4xS6TKn.exe {path}Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yuNCTcaeT' /XML 'C:\Users\user\AppData\Local\Temp\tmpAB9F.tmp'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess created: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe {path}Jump to behavior
                      Source: MLdAu.exe, 00000019.00000002.495400726.0000000001630000.00000002.00000001.sdmp, MLdAu.exe, 0000001F.00000002.494918317.0000000001360000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: MLdAu.exe, 00000019.00000002.495400726.0000000001630000.00000002.00000001.sdmp, MLdAu.exe, 0000001F.00000002.494918317.0000000001360000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: MLdAu.exe, 00000019.00000002.495400726.0000000001630000.00000002.00000001.sdmp, MLdAu.exe, 0000001F.00000002.494918317.0000000001360000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: MLdAu.exe, 00000019.00000002.495400726.0000000001630000.00000002.00000001.sdmp, MLdAu.exe, 0000001F.00000002.494918317.0000000001360000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Users\user\Desktop\6LS4xS6TKn.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Users\user\Desktop\6LS4xS6TKn.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeQueries volume information: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeQueries volume information: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeQueries volume information: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.6LS4xS6TKn.exe.406f160.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.MLdAu.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.MLdAu.exe.3a5f160.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.MLdAu.exe.3a5f160.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.6LS4xS6TKn.exe.406f160.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001F.00000002.490664959.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.484767094.000000000399B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.313750267.0000000003FAB000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.6LS4xS6TKn.exe.406f160.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.MLdAu.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.MLdAu.exe.3a5f160.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.MLdAu.exe.3a5f160.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.6LS4xS6TKn.exe.406f160.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001F.00000002.490664959.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.484767094.000000000399B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.313750267.0000000003FAB000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.496038864.00000000029F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: MLdAu.exe PID: 6108, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.496038864.00000000029F1000.00000004.00000001.sdmp, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.6LS4xS6TKn.exe.406f160.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.MLdAu.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.MLdAu.exe.3a5f160.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.MLdAu.exe.3a5f160.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.6LS4xS6TKn.exe.406f160.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001F.00000002.490664959.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.484767094.000000000399B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.313750267.0000000003FAB000.00000004.00000001.sdmp, type: MEMORY
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.6LS4xS6TKn.exe.406f160.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 31.2.MLdAu.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.MLdAu.exe.3a5f160.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.MLdAu.exe.3a5f160.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.6LS4xS6TKn.exe.406f160.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000001F.00000002.490664959.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.484767094.000000000399B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.313750267.0000000003FAB000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001F.00000002.496038864.00000000029F1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: MLdAu.exe PID: 6108, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection112Masquerading1Input Capture1Security Software Discovery311Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Registry Run Keys / Startup Folder1Scheduled Task/Job1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder1Virtualization/Sandbox Evasion131Security Account ManagerVirtualization/Sandbox Evasion131SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 452668 Sample: 6LS4xS6TKn.exe Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 7 other signatures 2->47 7 6LS4xS6TKn.exe 6 2->7         started        11 MLdAu.exe 5 2->11         started        13 MLdAu.exe 2 2->13         started        process3 file4 29 C:\Users\user\AppData\Roaming\yuNCTcaeT.exe, PE32 7->29 dropped 31 C:\Users\user\AppData\Local\...\tmp74F3.tmp, XML 7->31 dropped 33 C:\Users\user\AppData\...\6LS4xS6TKn.exe.log, ASCII 7->33 dropped 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->49 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->51 53 Uses schtasks.exe or at.exe to add and modify task schedules 7->53 15 6LS4xS6TKn.exe 2 5 7->15         started        19 schtasks.exe 1 7->19         started        55 Multi AV Scanner detection for dropped file 11->55 57 Machine Learning detection for dropped file 11->57 59 Injects a PE file into a foreign processes 11->59 21 schtasks.exe 1 11->21         started        23 MLdAu.exe 11->23         started        signatures5 process6 file7 35 C:\Users\user\AppData\Roaming\...\MLdAu.exe, PE32 15->35 dropped 37 C:\Users\user\...\MLdAu.exe:Zone.Identifier, ASCII 15->37 dropped 39 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->39 25 conhost.exe 19->25         started        27 conhost.exe 21->27         started        signatures8 process9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      6LS4xS6TKn.exe37%VirustotalBrowse
                      6LS4xS6TKn.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\yuNCTcaeT.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe30%ReversingLabsByteCode-MSIL.Trojan.Heracles
                      C:\Users\user\AppData\Roaming\yuNCTcaeT.exe30%ReversingLabsByteCode-MSIL.Trojan.Heracles

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      31.2.MLdAu.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.founder.com.cn/cner0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/Q90%Avira URL Cloudsafe
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.founder.com.cn/cnze0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/j90%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/ltt0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/j90%Avira URL Cloudsafe
                      http://www.carterandcone.coman0%Avira URL Cloudsafe
                      http://www.carterandcone.comva0%URL Reputationsafe
                      http://www.carterandcone.comva0%URL Reputationsafe
                      http://www.carterandcone.comva0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Y0r0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.fontbureau.comiona0%URL Reputationsafe
                      http://www.fontbureau.comiona0%URL Reputationsafe
                      http://www.fontbureau.comiona0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.fontbureau.comFc90%Avira URL Cloudsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.fontbureau.comgrita0%URL Reputationsafe
                      http://www.fontbureau.comgrita0%URL Reputationsafe
                      http://www.fontbureau.comgrita0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://BGwprh.com0%Avira URL Cloudsafe
                      http://www.carterandcone.como.0%URL Reputationsafe
                      http://www.carterandcone.como.0%URL Reputationsafe
                      http://www.carterandcone.como.0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htmS0%Avira URL Cloudsafe
                      http://www.fontbureau.comalsj90%Avira URL Cloudsafe
                      http://www.fontbureau.comalsd0%URL Reputationsafe
                      http://www.fontbureau.comalsd0%URL Reputationsafe
                      http://www.fontbureau.comalsd0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/290%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/X0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/X0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/X0%URL Reputationsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      http://www.founder.com.cn/cnvan0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Y0P0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/oi0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/oi0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/oi0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.founder.com.cn/cner6LS4xS6TKn.exe, 00000000.00000003.220134437.00000000059D0000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.jiyu-kobo.co.jp/Q96LS4xS6TKn.exe, 00000000.00000003.223180754.00000000059C8000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://127.0.0.1:HTTP/1.1MLdAu.exe, 0000001F.00000002.496038864.00000000029F1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      low
                      http://www.fontbureau.com/designersG6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpfalse
                        high
                        http://www.founder.com.cn/cnze6LS4xS6TKn.exe, 00000000.00000003.220502768.00000000059D3000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.fontbureau.com/designers/?6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpfalse
                          high
                          http://www.founder.com.cn/cn/bThe6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          http://www.jiyu-kobo.co.jp/jp/j96LS4xS6TKn.exe, 00000000.00000003.223180754.00000000059C8000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.jiyu-kobo.co.jp/ltt6LS4xS6TKn.exe, 00000000.00000003.223180754.00000000059C8000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.jiyu-kobo.co.jp/j96LS4xS6TKn.exe, 00000000.00000003.222989262.00000000059D4000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.fontbureau.com/designers?6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpfalse
                            high
                            http://www.carterandcone.coman6LS4xS6TKn.exe, 00000000.00000003.221602372.00000000059D5000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.carterandcone.comva6LS4xS6TKn.exe, 00000000.00000003.222072740.00000000059D5000.00000004.00000001.sdmp, 6LS4xS6TKn.exe, 00000000.00000003.221373047.00000000059D5000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.tiro.comMLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            https://login.blockchain.com/ObjectLengthChainingModeGCMAuthTagLengthChainingModeKeyDataBlobAESMicroMLdAu.exe, 0000001F.00000002.496038864.00000000029F1000.00000004.00000001.sdmpfalse
                              high
                              http://www.fontbureau.com/designersMLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpfalse
                                high
                                http://www.jiyu-kobo.co.jp/Y0r6LS4xS6TKn.exe, 00000000.00000003.224006332.00000000059C8000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.goodfont.co.kr6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.carterandcone.com6LS4xS6TKn.exe, 00000000.00000003.221602372.00000000059D5000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.comiona6LS4xS6TKn.exe, 00000000.00000003.228620224.00000000059D8000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.sajatypeworks.com6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.comFc96LS4xS6TKn.exe, 00000000.00000003.226229966.00000000059D2000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://www.typography.netD6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.founder.com.cn/cn/cThe6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.galapagosdesign.com/staff/dennis.htm6LS4xS6TKn.exe, 00000000.00000003.227126282.00000000059D0000.00000004.00000001.sdmp, 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://fontfabrik.com6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.comgrita6LS4xS6TKn.exe, 00000000.00000003.228775740.00000000059D2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.galapagosdesign.com/DPlease6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://login.blockchain.com/MLdAu.exe, 0000001F.00000002.496038864.00000000029F1000.00000004.00000001.sdmpfalse
                                  high
                                  https://api.ipify.org%GETMozilla/5.0MLdAu.exe, 0000001F.00000002.496038864.00000000029F1000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  low
                                  http://www.fonts.com6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpfalse
                                    high
                                    http://www.sandoll.co.kr6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.urwpp.deDPlease6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.zhongyicts.com.cn6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://BGwprh.comMLdAu.exe, 0000001F.00000002.496038864.00000000029F1000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name6LS4xS6TKn.exe, 00000000.00000002.310375251.0000000002F51000.00000004.00000001.sdmp, MLdAu.exe, 00000017.00000002.481802718.0000000002941000.00000004.00000001.sdmpfalse
                                      high
                                      http://www.carterandcone.como.6LS4xS6TKn.exe, 00000000.00000003.221602372.00000000059D5000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.sakkal.com6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip6LS4xS6TKn.exe, 00000000.00000002.313750267.0000000003FAB000.00000004.00000001.sdmp, MLdAu.exe, 00000017.00000002.484767094.000000000399B000.00000004.00000001.sdmp, MLdAu.exe, 0000001F.00000002.490664959.0000000000402000.00000040.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmS6LS4xS6TKn.exe, 00000000.00000003.227126282.00000000059D0000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.fontbureau.comalsj96LS4xS6TKn.exe, 00000000.00000003.226229966.00000000059D2000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.fontbureau.comalsd6LS4xS6TKn.exe, 00000000.00000003.226229966.00000000059D2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.jiyu-kobo.co.jp/296LS4xS6TKn.exe, 00000000.00000003.223180754.00000000059C8000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://www.apache.org/licenses/LICENSE-2.06LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpfalse
                                        high
                                        http://www.fontbureau.com6LS4xS6TKn.exe, 00000000.00000003.225393927.00000000059CC000.00000004.00000001.sdmp, 6LS4xS6TKn.exe, 00000000.00000003.226229966.00000000059D2000.00000004.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpfalse
                                          high
                                          http://www.galapagosdesign.com/6LS4xS6TKn.exe, 00000000.00000003.227126282.00000000059D0000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://DynDns.comDynDNSMLdAu.exe, 0000001F.00000002.496038864.00000000029F1000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.jiyu-kobo.co.jp/X6LS4xS6TKn.exe, 00000000.00000003.224006332.00000000059C8000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.fontbureau.comF6LS4xS6TKn.exe, 00000000.00000003.228775740.00000000059D2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.founder.com.cn/cnvan6LS4xS6TKn.exe, 00000000.00000003.220502768.00000000059D3000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haMLdAu.exe, 0000001F.00000002.496038864.00000000029F1000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.jiyu-kobo.co.jp/Y0P6LS4xS6TKn.exe, 00000000.00000003.223180754.00000000059C8000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://www.jiyu-kobo.co.jp/oi6LS4xS6TKn.exe, 00000000.00000003.224006332.00000000059C8000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.jiyu-kobo.co.jp/jp/6LS4xS6TKn.exe, 00000000.00000003.223180754.00000000059C8000.00000004.00000001.sdmp, 6LS4xS6TKn.exe, 00000000.00000003.224006332.00000000059C8000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.fontbureau.comd6LS4xS6TKn.exe, 00000000.00000003.226229966.00000000059D2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.carterandcone.coml6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.founder.com.cn/cn/6LS4xS6TKn.exe, 00000000.00000003.220285896.00000000059D3000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlN6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpfalse
                                            high
                                            http://www.founder.com.cn/cn6LS4xS6TKn.exe, 00000000.00000003.222647223.00000000059D5000.00000004.00000001.sdmp, 6LS4xS6TKn.exe, 00000000.00000003.221602372.00000000059D5000.00000004.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            http://www.fontbureau.com/designers/frere-jones.html6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpfalse
                                              high
                                              http://www.jiyu-kobo.co.jp/N96LS4xS6TKn.exe, 00000000.00000003.224006332.00000000059C8000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.jiyu-kobo.co.jp/s-e6LS4xS6TKn.exe, 00000000.00000003.223180754.00000000059C8000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.jiyu-kobo.co.jp/t6LS4xS6TKn.exe, 00000000.00000003.224006332.00000000059C8000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.jiyu-kobo.co.jp/6LS4xS6TKn.exe, 00000000.00000003.223180754.00000000059C8000.00000004.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.fontbureau.como6LS4xS6TKn.exe, 00000000.00000003.228620224.00000000059D8000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.zhongyicts.com.cno.6LS4xS6TKn.exe, 00000000.00000003.221128152.00000000059D5000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.fontbureau.com/designers86LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpfalse
                                                high
                                                http://www.jiyu-kobo.co.jp/c96LS4xS6TKn.exe, 00000000.00000003.223180754.00000000059C8000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.fontbureau.comalic6LS4xS6TKn.exe, 00000000.00000003.226229966.00000000059D2000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                unknown
                                                http://www.fontbureau.comalicN96LS4xS6TKn.exe, 00000000.00000003.226229966.00000000059D2000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown

                                                Contacted IPs

                                                No contacted IP infos

                                                General Information

                                                Joe Sandbox Version:33.0.0 White Diamond
                                                Analysis ID:452668
                                                Start date:22.07.2021
                                                Start time:17:43:18
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 13m 44s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Sample file name:6LS4xS6TKn.exe
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:32
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.evad.winEXE@13/7@0/0
                                                EGA Information:Failed
                                                HDC Information:
                                                • Successful, ratio: 1.4% (good quality ratio 1%)
                                                • Quality average: 48.7%
                                                • Quality standard deviation: 37.3%
                                                HCA Information:
                                                • Successful, ratio: 96%
                                                • Number of executed functions: 53
                                                • Number of non-executed functions: 6
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found application associated with file extension: .exe
                                                Warnings:
                                                Show All
                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                17:45:11API Interceptor512x Sleep call for process: 6LS4xS6TKn.exe modified
                                                17:45:25AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MLdAu C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe
                                                17:45:33AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MLdAu C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe

                                                Joe Sandbox View / Context

                                                IPs

                                                No context

                                                Domains

                                                No context

                                                ASN

                                                No context

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\6LS4xS6TKn.exe.log
                                                Process:C:\Users\user\Desktop\6LS4xS6TKn.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1216
                                                Entropy (8bit):5.355304211458859
                                                Encrypted:false
                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                Malicious:true
                                                Reputation:unknown
                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MLdAu.exe.log
                                                Process:C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1216
                                                Entropy (8bit):5.355304211458859
                                                Encrypted:false
                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                C:\Users\user\AppData\Local\Temp\tmp74F3.tmp
                                                Process:C:\Users\user\Desktop\6LS4xS6TKn.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1642
                                                Entropy (8bit):5.1850889851927615
                                                Encrypted:false
                                                SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBvBtn:cbh47TlNQ//rydbz9I3YODOLNdq3t
                                                MD5:71359811BDEC23A8C3EB4B94E71DC270
                                                SHA1:05F286BA3C3CCF4BF106BDF8447A94A82AB93A8A
                                                SHA-256:290E797D6A26CE3C5B18A020D5A21BCF45A723DEC403AC08C9106FF53B4160BA
                                                SHA-512:09B62C1C6B194F793CE80EB01EE2FC12048CC87C882ED614B0EEAED834FE24E7E604EA4FEE9FA09EC923724163A580D325967488B60F10486037776C93586AAD
                                                Malicious:true
                                                Reputation:unknown
                                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                C:\Users\user\AppData\Local\Temp\tmpAB9F.tmp
                                                Process:C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1642
                                                Entropy (8bit):5.1850889851927615
                                                Encrypted:false
                                                SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBvBtn:cbh47TlNQ//rydbz9I3YODOLNdq3t
                                                MD5:71359811BDEC23A8C3EB4B94E71DC270
                                                SHA1:05F286BA3C3CCF4BF106BDF8447A94A82AB93A8A
                                                SHA-256:290E797D6A26CE3C5B18A020D5A21BCF45A723DEC403AC08C9106FF53B4160BA
                                                SHA-512:09B62C1C6B194F793CE80EB01EE2FC12048CC87C882ED614B0EEAED834FE24E7E604EA4FEE9FA09EC923724163A580D325967488B60F10486037776C93586AAD
                                                Malicious:false
                                                Reputation:unknown
                                                Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                                C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe
                                                Process:C:\Users\user\Desktop\6LS4xS6TKn.exe
                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):883200
                                                Entropy (8bit):7.017055708276543
                                                Encrypted:false
                                                SSDEEP:12288:nwRHMJfTDAe9AVLYy6t4XlJIT7652mgkSMPQipP5q:nwRsdT19qMy6tIsnipQ
                                                MD5:118F0E5D6A1C91A5B820741669C495D7
                                                SHA1:933D498BF7EEA29D1DEDD4B597692D62C6DC53D4
                                                SHA-256:16D0E36DF66A1BA451C25A5F5C1FCCCCA5CB415A81CB8820F89811232C4FC3B3
                                                SHA-512:C9EA9BF3ADB6324A8AD565ED3B7CD14C56AD2370DAE79FE9FF0637E0D8D0291A22363182E72DAEF7C16FA666FCBE3CEC9A9ECF83BAEAFAC23F8DD275AC4ECF38
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 30%
                                                Reputation:unknown
                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zk.`..............0.................. ........@.. ....................................@.....................................S....... ............................................................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc...............x..............@..B.......................H.......(....................................................................L,.....9....<Iu.<k.......`...v...cU$[so.`z..W9.j... F.g\Pu.B.......,.-.b......3.?..vt....kU0.!?.n.'...E<v..|G7...B.{.PW..2....OH..w...U.....WCF..*.]./......4A?...&.4.krV_....~<n......4.....N.....`.K@....u..?...O....p.-.6...^........$F.$..d..P.....^O.+..7g.....DWE.....#2.....r.........;L9..M.BL...G~.lxf*..3..' .Xr.S..Q..O.=.:....O...L.ga.........A.j.\m.~..$D....^...s...J.=A44..%@.
                                                C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe:Zone.Identifier
                                                Process:C:\Users\user\Desktop\6LS4xS6TKn.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:modified
                                                Size (bytes):26
                                                Entropy (8bit):3.95006375643621
                                                Encrypted:false
                                                SSDEEP:3:ggPYV:rPYV
                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                Malicious:true
                                                Reputation:unknown
                                                Preview: [ZoneTransfer]....ZoneId=0
                                                C:\Users\user\AppData\Roaming\yuNCTcaeT.exe
                                                Process:C:\Users\user\Desktop\6LS4xS6TKn.exe
                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Category:dropped
                                                Size (bytes):883200
                                                Entropy (8bit):7.017055708276543
                                                Encrypted:false
                                                SSDEEP:12288:nwRHMJfTDAe9AVLYy6t4XlJIT7652mgkSMPQipP5q:nwRsdT19qMy6tIsnipQ
                                                MD5:118F0E5D6A1C91A5B820741669C495D7
                                                SHA1:933D498BF7EEA29D1DEDD4B597692D62C6DC53D4
                                                SHA-256:16D0E36DF66A1BA451C25A5F5C1FCCCCA5CB415A81CB8820F89811232C4FC3B3
                                                SHA-512:C9EA9BF3ADB6324A8AD565ED3B7CD14C56AD2370DAE79FE9FF0637E0D8D0291A22363182E72DAEF7C16FA666FCBE3CEC9A9ECF83BAEAFAC23F8DD275AC4ECF38
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 30%
                                                Reputation:unknown
                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zk.`..............0.................. ........@.. ....................................@.....................................S....... ............................................................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc...............x..............@..B.......................H.......(....................................................................L,.....9....<Iu.<k.......`...v...cU$[so.`z..W9.j... F.g\Pu.B.......,.-.b......3.?..vt....kU0.!?.n.'...E<v..|G7...B.{.PW..2....OH..w...U.....WCF..*.]./......4A?...&.4.krV_....~<n......4.....N.....`.K@....u..?...O....p.-.6...^........$F.$..d..P.....^O.+..7g.....DWE.....#2.....r.........;L9..M.BL...G~.lxf*..3..' .Xr.S..Q..O.=.:....O...L.ga.........A.j.\m.~..$D....^...s...J.=A44..%@.

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):7.017055708276543
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                • DOS Executable Generic (2002/1) 0.01%
                                                File name:6LS4xS6TKn.exe
                                                File size:883200
                                                MD5:118f0e5d6a1c91a5b820741669c495d7
                                                SHA1:933d498bf7eea29d1dedd4b597692d62c6dc53d4
                                                SHA256:16d0e36df66a1ba451c25a5f5c1fcccca5cb415a81cb8820f89811232c4fc3b3
                                                SHA512:c9ea9bf3adb6324a8ad565ed3b7cd14c56ad2370dae79fe9ff0637e0d8d0291a22363182e72daef7c16fa666fcbe3cec9a9ecf83baeafac23f8dd275ac4ecf38
                                                SSDEEP:12288:nwRHMJfTDAe9AVLYy6t4XlJIT7652mgkSMPQipP5q:nwRsdT19qMy6tIsnipQ
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zk.`..............0.................. ........@.. ....................................@................................

                                                File Icon

                                                Icon Hash:f0debeffdffeec70

                                                Static PE Info

                                                General

                                                Entrypoint:0x47affe
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                Time Stamp:0x60F96B7A [Thu Jul 22 12:58:34 2021 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:v4.0.30319
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x7afa80x53.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x7c0000x5e320.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xdc0000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000x790040x79200False0.847881998194data7.70847292155IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                .rsrc0x7c0000x5e3200x5e400False0.167331523541data5.64058505063IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0xdc0000xc0x200False0.041015625data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountry
                                                RT_ICON0x7c2200x468GLS_BINARY_LSB_FIRST
                                                RT_ICON0x7c6880x1128dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                                RT_ICON0x7d7b00x2668dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                                RT_ICON0x7fe180x4428dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                RT_ICON0x842400x11028dBase III DBT, version number 0, next free block index 40
                                                RT_ICON0x952680x44028data
                                                RT_GROUP_ICON0xd92900x5adata
                                                RT_VERSION0xd92ec0x30cdata
                                                RT_MANIFEST0xd95f80xd25XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Version Infos

                                                DescriptionData
                                                Translation0x0000 0x04b0
                                                LegalCopyrightCopyright 2016
                                                Assembly Version1.0.0.0
                                                InternalNameqem4S.exe
                                                FileVersion1.0.0.0
                                                CompanyName
                                                LegalTrademarks
                                                Comments
                                                ProductNameuNotepad
                                                ProductVersion1.0.0.0
                                                FileDescriptionuNotepad
                                                OriginalFilenameqem4S.exe

                                                Network Behavior

                                                No network behavior found

                                                Code Manipulations

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Start time:17:44:11
                                                Start date:22/07/2021
                                                Path:C:\Users\user\Desktop\6LS4xS6TKn.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\Desktop\6LS4xS6TKn.exe'
                                                Imagebase:0xb80000
                                                File size:883200 bytes
                                                MD5 hash:118F0E5D6A1C91A5B820741669C495D7
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.313750267.0000000003FAB000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.313750267.0000000003FAB000.00000004.00000001.sdmp, Author: Joe Security
                                                Reputation:low

                                                General

                                                Start time:17:44:54
                                                Start date:22/07/2021
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yuNCTcaeT' /XML 'C:\Users\user\AppData\Local\Temp\tmp74F3.tmp'
                                                Imagebase:0xab0000
                                                File size:185856 bytes
                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                General

                                                Start time:17:44:54
                                                Start date:22/07/2021
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6b2800000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                General

                                                Start time:17:44:55
                                                Start date:22/07/2021
                                                Path:C:\Users\user\Desktop\6LS4xS6TKn.exe
                                                Wow64 process (32bit):true
                                                Commandline:{path}
                                                Imagebase:0x880000
                                                File size:883200 bytes
                                                MD5 hash:118F0E5D6A1C91A5B820741669C495D7
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Reputation:low

                                                General

                                                Start time:17:45:33
                                                Start date:22/07/2021
                                                Path:C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe'
                                                Imagebase:0x4f0000
                                                File size:883200 bytes
                                                MD5 hash:118F0E5D6A1C91A5B820741669C495D7
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000017.00000002.484767094.000000000399B000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000017.00000002.484767094.000000000399B000.00000004.00000001.sdmp, Author: Joe Security
                                                Antivirus matches:
                                                • Detection: 100%, Joe Sandbox ML
                                                • Detection: 30%, ReversingLabs
                                                Reputation:low

                                                General

                                                Start time:17:45:46
                                                Start date:22/07/2021
                                                Path:C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe'
                                                Imagebase:0x7a0000
                                                File size:883200 bytes
                                                MD5 hash:118F0E5D6A1C91A5B820741669C495D7
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Reputation:low

                                                General

                                                Start time:17:46:13
                                                Start date:22/07/2021
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yuNCTcaeT' /XML 'C:\Users\user\AppData\Local\Temp\tmpAB9F.tmp'
                                                Imagebase:0xab0000
                                                File size:185856 bytes
                                                MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                General

                                                Start time:17:46:14
                                                Start date:22/07/2021
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff6b2800000
                                                File size:625664 bytes
                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high

                                                General

                                                Start time:17:46:15
                                                Start date:22/07/2021
                                                Path:C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe
                                                Wow64 process (32bit):true
                                                Commandline:{path}
                                                Imagebase:0x4a0000
                                                File size:883200 bytes
                                                MD5 hash:118F0E5D6A1C91A5B820741669C495D7
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:.Net C# or VB.NET
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000002.490664959.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000001F.00000002.490664959.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001F.00000002.496038864.00000000029F1000.00000004.00000001.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001F.00000002.496038864.00000000029F1000.00000004.00000001.sdmp, Author: Joe Security
                                                Reputation:low

                                                Disassembly

                                                Code Analysis

                                                Reset < >

                                                  Executed Functions

                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.309915212.0000000002D20000.00000040.00000001.sdmp, Offset: 02D20000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: u$<m$1qy$1qy$1qy
                                                  • API String ID: 0-2275394008
                                                  • Opcode ID: 9c73dd140f63abc78c5bc0903b892dcb9f8f719301466d76aa7a880e6eb4bb3c
                                                  • Instruction ID: c5c9d2c3d34cbb0da41796cc402baa7e828fd9505f0747f9ba0980c39acc6fce
                                                  • Opcode Fuzzy Hash: 9c73dd140f63abc78c5bc0903b892dcb9f8f719301466d76aa7a880e6eb4bb3c
                                                  • Instruction Fuzzy Hash: 90D13470E0525ADBCB44CF95C4849AEFBB2FFA9304B10D599C416AB314D738EA46CF94
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.309915212.0000000002D20000.00000040.00000001.sdmp, Offset: 02D20000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 79ee4cf8e954a28457d3040f546c0941554ae5d7375b91fdb8b2dccee80c2959
                                                  • Instruction ID: 5a189da3bfb7758248b372d0bcf858749c0790a5cdc24de1481d91acd4f501f7
                                                  • Opcode Fuzzy Hash: 79ee4cf8e954a28457d3040f546c0941554ae5d7375b91fdb8b2dccee80c2959
                                                  • Instruction Fuzzy Hash: 5481C674E112588FDB08CFE9D985AADFBB2FF88304F248129D519BB354DB349946CB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.309915212.0000000002D20000.00000040.00000001.sdmp, Offset: 02D20000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5d2f6a2478c2ad8b29f5fb037f6e459c67a08164c031aab56f35e8fb81b868d0
                                                  • Instruction ID: 39542cb6e8e0313a7b49e9303db79c67a0066c63b0d7588e12edece639febc48
                                                  • Opcode Fuzzy Hash: 5d2f6a2478c2ad8b29f5fb037f6e459c67a08164c031aab56f35e8fb81b868d0
                                                  • Instruction Fuzzy Hash: 82610474E0421A9BCB04CF96D4809AEFBB2FF99318F14D52AD519AB315D330EA45CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.309915212.0000000002D20000.00000040.00000001.sdmp, Offset: 02D20000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 700ee612ef9d30454f6769cbeea967350a1d2de763bbb1e4462c41900869f400
                                                  • Instruction ID: b629024a8354f4fea45a360b6b3f7d456ac38e002743451c954f4a8ce7a396eb
                                                  • Opcode Fuzzy Hash: 700ee612ef9d30454f6769cbeea967350a1d2de763bbb1e4462c41900869f400
                                                  • Instruction Fuzzy Hash: 325113B4E052199BDB08CFAAC4846AEFBF2BF88204F14C12AD459B7355D7349A05CB64
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.309915212.0000000002D20000.00000040.00000001.sdmp, Offset: 02D20000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a5dee5992cfa6004e00f812fe5b6a5a1efa4063c2f2f5566e9f4249a33a90b3c
                                                  • Instruction ID: 21721503e31cf7cab7a2129c419a3e9b03f36ee66448b184f630d61fc657402a
                                                  • Opcode Fuzzy Hash: a5dee5992cfa6004e00f812fe5b6a5a1efa4063c2f2f5566e9f4249a33a90b3c
                                                  • Instruction Fuzzy Hash: D621E871E016588BDB18CFABD9446DEFBF7AFC9310F14C16AD809A6358DB341A45CB50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.309915212.0000000002D20000.00000040.00000001.sdmp, Offset: 02D20000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c8c2bc4b822e8b4011c15003f82c429e51c21aecb8eb162f849a2e265fcec701
                                                  • Instruction ID: 2fbbcb1e2691ca205d390b338327b26f4bedf05ccaba25345168aec52d727728
                                                  • Opcode Fuzzy Hash: c8c2bc4b822e8b4011c15003f82c429e51c21aecb8eb162f849a2e265fcec701
                                                  • Instruction Fuzzy Hash: BC21CCB0E016588BDB59CFA7D9446DEBBF3AFC9300F14C16AD808A6358DB744A46CF51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 02D2B869
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.309915212.0000000002D20000.00000040.00000001.sdmp, Offset: 02D20000, based on PE: false
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: 9dc9c923df0294d0b3233956d0b3318c96e1abb5fff904210b84dac92e4a3bc5
                                                  • Instruction ID: 35f2c8c42305a4e53700bbdb52f53aa6005f2a82f2f03867d93d00cb10391f07
                                                  • Opcode Fuzzy Hash: 9dc9c923df0294d0b3233956d0b3318c96e1abb5fff904210b84dac92e4a3bc5
                                                  • Instruction Fuzzy Hash: 38410370C0462DCBDB24DFA9C984B8EBBB5BF48308F24805AD519AB351DB756949CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02D2FA51,00000800,00000000,00000000), ref: 02D2FC62
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.309915212.0000000002D20000.00000040.00000001.sdmp, Offset: 02D20000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: 16308dda7fad9f788c62be5c1330fa1af0a80fd160e82326fb33bb9a29d8cc6a
                                                  • Instruction ID: d7eea2acf6c4b1ad9f566fee0ea1cad9e75c436c5d4b2ef4f707510c9de28fda
                                                  • Opcode Fuzzy Hash: 16308dda7fad9f788c62be5c1330fa1af0a80fd160e82326fb33bb9a29d8cc6a
                                                  • Instruction Fuzzy Hash: 9E1117B59042099FCB10CF9AD584ADEFBF4EB58324F11841ED955B7700C774A945CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 02D2F9D6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.309915212.0000000002D20000.00000040.00000001.sdmp, Offset: 02D20000, based on PE: false
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: 90d10da354b13fa8643a2ff739f1a4d415eef57f92ed32944d0c37ce91079487
                                                  • Instruction ID: 71820b3257bbfc610541fa8791cf198f140a132f65249c3268b147094bb69c6b
                                                  • Opcode Fuzzy Hash: 90d10da354b13fa8643a2ff739f1a4d415eef57f92ed32944d0c37ce91079487
                                                  • Instruction Fuzzy Hash: 221113B5D006098FCB10CF9AC544BDEFBF4AB88328F10841AD459B7700C775A545CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.309915212.0000000002D20000.00000040.00000001.sdmp, Offset: 02D20000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ]/$]/
                                                  • API String ID: 0-1106031600
                                                  • Opcode ID: c5c26fe0796a95388106091b0641198bc990967eee36a23263c35db9dd73b996
                                                  • Instruction ID: b9470c1f8c0fde148e84736e1d29205a845dcc464bd19e8eae3b778b8ae61532
                                                  • Opcode Fuzzy Hash: c5c26fe0796a95388106091b0641198bc990967eee36a23263c35db9dd73b996
                                                  • Instruction Fuzzy Hash: 0E710174E0421ADFCB04CF99D581AAEFBF2FF58214F14955AD815AB304C734AA82CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.309915212.0000000002D20000.00000040.00000001.sdmp, Offset: 02D20000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID: ]/
                                                  • API String ID: 0-3510687542
                                                  • Opcode ID: 254716bc81d9a2e2a819bd29fabe831ac233d333e98c66446936e611f837c04a
                                                  • Instruction ID: d13260b55b5bbdce3e762faa9bf7cbd94e8293de5db21e134f3030509701ac04
                                                  • Opcode Fuzzy Hash: 254716bc81d9a2e2a819bd29fabe831ac233d333e98c66446936e611f837c04a
                                                  • Instruction Fuzzy Hash: 6C610174E0421ACFCB04CFA9C5859AEFBF2FF98214F14945AD815A7304C734AA86CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.309915212.0000000002D20000.00000040.00000001.sdmp, Offset: 02D20000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ec5ab7ed456f500604786b14aa1f9f35f4e693a1419bf9866fb735e2eb720ad2
                                                  • Instruction ID: 29c350261ae9fc7999ac7df32db4cf319d64cd6f284fed8143b3d211a4f20d1e
                                                  • Opcode Fuzzy Hash: ec5ab7ed456f500604786b14aa1f9f35f4e693a1419bf9866fb735e2eb720ad2
                                                  • Instruction Fuzzy Hash: A381E074A15229CFCB44CFA9C58499EFBF1FF98210F249569D815AB324D330AA86CF50
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.309915212.0000000002D20000.00000040.00000001.sdmp, Offset: 02D20000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 783e0b97784b5cda48fef1d9d48aa9779b425f38879cd9d8c158c5625bfee702
                                                  • Instruction ID: 472955b3ca0a23d483ab7669b75ddd459e0dd04c6fdc88465c2a0408263cffe4
                                                  • Opcode Fuzzy Hash: 783e0b97784b5cda48fef1d9d48aa9779b425f38879cd9d8c158c5625bfee702
                                                  • Instruction Fuzzy Hash: 2F810274E14219CFCB04CFA9C58499EFBF1FF99210F24856AD815AB324D330AE86CB61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.309915212.0000000002D20000.00000040.00000001.sdmp, Offset: 02D20000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 928bfa6d048be75ba8ca23632a86c48aacf65eeaa26e9d569bae0d4eba4cbac1
                                                  • Instruction ID: 0653bde20526d6d3bf3597e3e37cc48b69874844f0461f14cdc4369b264c9b99
                                                  • Opcode Fuzzy Hash: 928bfa6d048be75ba8ca23632a86c48aacf65eeaa26e9d569bae0d4eba4cbac1
                                                  • Instruction Fuzzy Hash: 8D11EFB1E046189BEB1CCFABD8406DEFBF7AFD8201F04C076D918A6254DB3406468F51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.309915212.0000000002D20000.00000040.00000001.sdmp, Offset: 02D20000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 431c1feaca1a2f504f5e9752a1a56012c6ce63989e8e5167a207bb355e6d7e29
                                                  • Instruction ID: 880a6df644b5963dc42c6293082af21697fe56fec7a13fd95980dd8e7269a0b2
                                                  • Opcode Fuzzy Hash: 431c1feaca1a2f504f5e9752a1a56012c6ce63989e8e5167a207bb355e6d7e29
                                                  • Instruction Fuzzy Hash: 8011D0B1E046588BEB5CCFABD94469EFBF3AFD8200F08C17AC818A6258DB3445468F11
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Executed Functions

                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.486983753.0000000004E40000.00000040.00000001.sdmp, Offset: 04E40000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2ddc1b9f16b9e8d61cf4e03b3b6e3ae42e573e7ec13393abd2800a9fc5876be4
                                                  • Instruction ID: 9eed044b1d93a3cc65028c84a19809043cfb2831d766f2a4695c0be2288e4442
                                                  • Opcode Fuzzy Hash: 2ddc1b9f16b9e8d61cf4e03b3b6e3ae42e573e7ec13393abd2800a9fc5876be4
                                                  • Instruction Fuzzy Hash: 3891B235E00319DFCB04DFB0E8449DDB7BAFF8A314F648619E116AB664EB30A955CB90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 04E41C88
                                                  • GetCurrentThread.KERNEL32 ref: 04E41CC5
                                                  • GetCurrentProcess.KERNEL32 ref: 04E41D02
                                                  • GetCurrentThreadId.KERNEL32 ref: 04E41D5B
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.486983753.0000000004E40000.00000040.00000001.sdmp, Offset: 04E40000, based on PE: false
                                                  Similarity
                                                  • API ID: Current$ProcessThread
                                                  • String ID:
                                                  • API String ID: 2063062207-0
                                                  • Opcode ID: d8f2514d8696619c22f20a1ee3aab94c4f637082164e97c29cf8a3ff5505b92b
                                                  • Instruction ID: 2b955d516194ca40df0799a2912412e0e4f53c10028993c6c7f0f425eb8dd51a
                                                  • Opcode Fuzzy Hash: d8f2514d8696619c22f20a1ee3aab94c4f637082164e97c29cf8a3ff5505b92b
                                                  • Instruction Fuzzy Hash: 465125B0D006498FDB14CFA9DA497DEBBF1AB88315F208459E419B7350DB74A884CF66
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 0282572B
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.481702251.0000000002820000.00000040.00000001.sdmp, Offset: 02820000, based on PE: false
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID:
                                                  • API String ID: 963392458-0
                                                  • Opcode ID: beb2b3ec519345c8b2d8023abaaf1465151c5b189c20249308710616888e1300
                                                  • Instruction ID: 38cad5e38ebb060f01ac68a433bba76447ea1f159bb9d0a4344ce9233816bdeb
                                                  • Opcode Fuzzy Hash: beb2b3ec519345c8b2d8023abaaf1465151c5b189c20249308710616888e1300
                                                  • Instruction Fuzzy Hash: 64510775D00329DFDB64CF95C980BDEBBB1AF88314F15809AE908B7250DB349A89CF51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • CreateProcessW.KERNELBASE(?,?,00000009,?,?,?,?,?,?,?), ref: 0282572B
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.481702251.0000000002820000.00000040.00000001.sdmp, Offset: 02820000, based on PE: false
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID:
                                                  • API String ID: 963392458-0
                                                  • Opcode ID: 5453ea9d371f4a4e07bb32c211062fd107798146b083a93d9e2edfc615a89882
                                                  • Instruction ID: 0cf47e60050e2359492ae922f0c3041213fab04d454d8327f757dc433f39396b
                                                  • Opcode Fuzzy Hash: 5453ea9d371f4a4e07bb32c211062fd107798146b083a93d9e2edfc615a89882
                                                  • Instruction Fuzzy Hash: 74510775D00329DFDB24CF99C980BDEBBB5AF88304F158099E908B7250DB349A89CF51
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E463AA
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.486983753.0000000004E40000.00000040.00000001.sdmp, Offset: 04E40000, based on PE: false
                                                  Similarity
                                                  • API ID: CreateWindow
                                                  • String ID:
                                                  • API String ID: 716092398-0
                                                  • Opcode ID: fed1cf1b6b36e87b236650f0fdc506e5d6d344316ab3bc6150f08c643fb270ff
                                                  • Instruction ID: 8f27d51b6aa7e8763a7735fc8c390459be0b1f69f84810c0d0f90c298143d144
                                                  • Opcode Fuzzy Hash: fed1cf1b6b36e87b236650f0fdc506e5d6d344316ab3bc6150f08c643fb270ff
                                                  • Instruction Fuzzy Hash: 4051E0B5D00348DFDF14CFA9D980ADDBBB1BF89314F24822AE419AB210D774A845CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04E463AA
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.486983753.0000000004E40000.00000040.00000001.sdmp, Offset: 04E40000, based on PE: false
                                                  Similarity
                                                  • API ID: CreateWindow
                                                  • String ID:
                                                  • API String ID: 716092398-0
                                                  • Opcode ID: 2552eff32ed4da1062169af6c25923954a57e3725244724bde2e7915b4974ef1
                                                  • Instruction ID: 20b01fbb9789e233f7913711f59f832020aa3ddf13e9f98a2d6fdc02ef77df63
                                                  • Opcode Fuzzy Hash: 2552eff32ed4da1062169af6c25923954a57e3725244724bde2e7915b4974ef1
                                                  • Instruction Fuzzy Hash: C541BEB1D002489FDF14CFA9D984ADEBBB5BF89314F24812AE419AB210D774A845CF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 04E48911
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.486983753.0000000004E40000.00000040.00000001.sdmp, Offset: 04E40000, based on PE: false
                                                  Similarity
                                                  • API ID: CallProcWindow
                                                  • String ID:
                                                  • API String ID: 2714655100-0
                                                  • Opcode ID: 86cab2d16b8ff586aafcc65784dd371eba516fef1c5a63e1d0d8d664d993ddd2
                                                  • Instruction ID: 6edb988d4b4d5ffe8bf0231366252b11038781bd581bed2b5665e607f60abfda
                                                  • Opcode Fuzzy Hash: 86cab2d16b8ff586aafcc65784dd371eba516fef1c5a63e1d0d8d664d993ddd2
                                                  • Instruction Fuzzy Hash: 63415BB8A00605CFDB14DF99C488AABBBF5FF88314F258859D519AB321D774E841CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 00CFB869
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.480196630.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: cdf044ad9aea9a82c537b7d97599f5f6e0e8209e95b334631f6e595bbf577a0e
                                                  • Instruction ID: 72c838af1dfa5947e3d0017af27fd6790a32aa8185a54150df871bc04622ce06
                                                  • Opcode Fuzzy Hash: cdf044ad9aea9a82c537b7d97599f5f6e0e8209e95b334631f6e595bbf577a0e
                                                  • Instruction Fuzzy Hash: 6D4112B0C0061DCBDB24DFA9C884BDEBBB5BF88304F208069D509BB255DB756945CF91
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02826265
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.481702251.0000000002820000.00000040.00000001.sdmp, Offset: 02820000, based on PE: false
                                                  Similarity
                                                  • API ID: MemoryProcessWrite
                                                  • String ID:
                                                  • API String ID: 3559483778-0
                                                  • Opcode ID: 20a23fc244cd8526c3ea0cc9a404d50f8e03657134e7ea86ff2ce582f3d6c994
                                                  • Instruction ID: 92ffcef430b74b7c06a2fe65ca02ac4e821e23dd0828b978078096b402957100
                                                  • Opcode Fuzzy Hash: 20a23fc244cd8526c3ea0cc9a404d50f8e03657134e7ea86ff2ce582f3d6c994
                                                  • Instruction Fuzzy Hash: 232125B59002199FDB10CFA9D985BDEBBF4FB48314F00842AE818E3240E774A944CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 02826265
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.481702251.0000000002820000.00000040.00000001.sdmp, Offset: 02820000, based on PE: false
                                                  Similarity
                                                  • API ID: MemoryProcessWrite
                                                  • String ID:
                                                  • API String ID: 3559483778-0
                                                  • Opcode ID: dcce17b0757714ab9ae9bb8476c9f9401a05703fd644938f692c88d928cbc6b6
                                                  • Instruction ID: 5622fc5459a75cbe1bb4f4772f11140a4beb9605c0140be468dd4335380adc81
                                                  • Opcode Fuzzy Hash: dcce17b0757714ab9ae9bb8476c9f9401a05703fd644938f692c88d928cbc6b6
                                                  • Instruction Fuzzy Hash: 3F2116B59002599FCB10CF99C985BDEBBF4FB48314F10842AE918E3240D774A944CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 028260DF
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.481702251.0000000002820000.00000040.00000001.sdmp, Offset: 02820000, based on PE: false
                                                  Similarity
                                                  • API ID: MemoryProcessRead
                                                  • String ID:
                                                  • API String ID: 1726664587-0
                                                  • Opcode ID: ca15659695d38e6a74ee288d2b6e65aeb1782cd861f6a14c126a111831af0e46
                                                  • Instruction ID: 924b78e33f3dee152488a4519699d6adab0e9d995d96af09df2738640bd7d85e
                                                  • Opcode Fuzzy Hash: ca15659695d38e6a74ee288d2b6e65aeb1782cd861f6a14c126a111831af0e46
                                                  • Instruction Fuzzy Hash: FB2134B59002199FCB10CF9AC984BDEBBF4FB48320F10842AE918B3200D735A944CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04E41ED7
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.486983753.0000000004E40000.00000040.00000001.sdmp, Offset: 04E40000, based on PE: false
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: bb140d65fbdf56f4f547d9117bc69cbc5f8595a21766852c71ecca9c979ada47
                                                  • Instruction ID: 49e6ed0ba89b1753ff83c83ef687ff3a385f2b2bd5613680202aac8b6c78ab13
                                                  • Opcode Fuzzy Hash: bb140d65fbdf56f4f547d9117bc69cbc5f8595a21766852c71ecca9c979ada47
                                                  • Instruction Fuzzy Hash: B721C2B59002099FDB10CFAAD984ADEFBF8FB48324F14841AE914A7310D778A954CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • SetThreadContext.KERNELBASE(?,00000000), ref: 02826017
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.481702251.0000000002820000.00000040.00000001.sdmp, Offset: 02820000, based on PE: false
                                                  Similarity
                                                  • API ID: ContextThread
                                                  • String ID:
                                                  • API String ID: 1591575202-0
                                                  • Opcode ID: 5928245eb83929c4a1dd8989a2b92f7feb4a26e714ed074a4bb8ae1284d28e3a
                                                  • Instruction ID: 3fa6521bc75dc4d1c0935b762f11c4f26b8c167428cdf546360b85daccb7f24d
                                                  • Opcode Fuzzy Hash: 5928245eb83929c4a1dd8989a2b92f7feb4a26e714ed074a4bb8ae1284d28e3a
                                                  • Instruction Fuzzy Hash: C12147B5D006199BDB10CF9AC9857EEFBB8FB48224F10812AD418F3740D778A9448FA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 028260DF
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.481702251.0000000002820000.00000040.00000001.sdmp, Offset: 02820000, based on PE: false
                                                  Similarity
                                                  • API ID: MemoryProcessRead
                                                  • String ID:
                                                  • API String ID: 1726664587-0
                                                  • Opcode ID: 2ceb0d5b3212739a6affc852cae4cf806d9afe0ab73ed2495145da823126e776
                                                  • Instruction ID: 7111f2fca168d857194f60bf5e95f60fd55175f08d363ca86695314340e8b35f
                                                  • Opcode Fuzzy Hash: 2ceb0d5b3212739a6affc852cae4cf806d9afe0ab73ed2495145da823126e776
                                                  • Instruction Fuzzy Hash: 6B21E5B5D006599FCB10CF9AC984BDEFBF4FB48310F508429E918A7250D774A544DFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • SetThreadContext.KERNELBASE(?,00000000), ref: 02826017
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.481702251.0000000002820000.00000040.00000001.sdmp, Offset: 02820000, based on PE: false
                                                  Similarity
                                                  • API ID: ContextThread
                                                  • String ID:
                                                  • API String ID: 1591575202-0
                                                  • Opcode ID: b5305fa240c07b2d92a3cf545519c9b31dc51781ac13b444cd5f6305b1545cde
                                                  • Instruction ID: c4ec492f981655f3f42deeb14c7e5c9f07d859240a27f7e47d0e3ecf216da8cb
                                                  • Opcode Fuzzy Hash: b5305fa240c07b2d92a3cf545519c9b31dc51781ac13b444cd5f6305b1545cde
                                                  • Instruction Fuzzy Hash: 822124B5D006199BCB10CF9AC9857EEFBB8FB48224F50812AD418B3640D778A9448FA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00CFFA51,00000800,00000000,00000000), ref: 00CFFC62
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.480196630.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: f136baf211a40ec32c084b3a72a974b692daa217fcf419c5774f667f02c4971f
                                                  • Instruction ID: 7d054a1a9e201830480adc4d080a77a64b1e34ca954036556cab2b9850f707ff
                                                  • Opcode Fuzzy Hash: f136baf211a40ec32c084b3a72a974b692daa217fcf419c5774f667f02c4971f
                                                  • Instruction Fuzzy Hash: BD1103B69002099FDB20CF9AC944AEEFBF4EB98314F11842ED925A7200C774A945CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0282619B
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.481702251.0000000002820000.00000040.00000001.sdmp, Offset: 02820000, based on PE: false
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: f71b7942f458d39039e92c0ba335a6c9b7424f2868d3e19f7baa2e23dd2bb2dd
                                                  • Instruction ID: d91d63d5dd05a6020c6b89da3e62aac2f50c423812cdf5f9710a68aa8a6ff447
                                                  • Opcode Fuzzy Hash: f71b7942f458d39039e92c0ba335a6c9b7424f2868d3e19f7baa2e23dd2bb2dd
                                                  • Instruction Fuzzy Hash: A71143B5900658DFCB10CF99C989BDFBBF8EB88324F108419E528A7210D735A984CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0282619B
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.481702251.0000000002820000.00000040.00000001.sdmp, Offset: 02820000, based on PE: false
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: 9a3ad76a480428fe325452bf5aa06afcbab1c333377ab9f83d4ac8f78605583b
                                                  • Instruction ID: ec9317226be21ce0eeba3ceb6477b45e133bc1ba66421cf1a9f309e216c88ba0
                                                  • Opcode Fuzzy Hash: 9a3ad76a480428fe325452bf5aa06afcbab1c333377ab9f83d4ac8f78605583b
                                                  • Instruction Fuzzy Hash: 8B1125B5900658DFCB10CF99C984BDFBBF8FB88324F108419E528A7210D775A544CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.481702251.0000000002820000.00000040.00000001.sdmp, Offset: 02820000, based on PE: false
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: e23f2363b00e2a3c24c33442b1a6009b80a5e56ebf093027ed200c26bcc917b2
                                                  • Instruction ID: 2c1c21c5c2cc8f2a30e8d8e1618e4d4362ab203934d72bec4d865f13dd6249c4
                                                  • Opcode Fuzzy Hash: e23f2363b00e2a3c24c33442b1a6009b80a5e56ebf093027ed200c26bcc917b2
                                                  • Instruction Fuzzy Hash: 4A1145B59006188FCB10DF99D589BDEFBF4EB88324F24881AD428B7240DB75A945CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 04E4653D
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.486983753.0000000004E40000.00000040.00000001.sdmp, Offset: 04E40000, based on PE: false
                                                  Similarity
                                                  • API ID: LongWindow
                                                  • String ID:
                                                  • API String ID: 1378638983-0
                                                  • Opcode ID: d9644848ef039eeb349b7e1cb93915c62c1c6e6d0d82edc905cb03331d276042
                                                  • Instruction ID: bc3e27275072b093feb98e2fa228b87cd5f0493de2fe6a9a904a2d7d651395d4
                                                  • Opcode Fuzzy Hash: d9644848ef039eeb349b7e1cb93915c62c1c6e6d0d82edc905cb03331d276042
                                                  • Instruction Fuzzy Hash: C11103B59002089FDB20DF99D589BDFBBF8EB89324F10841AE915B7300D778A944CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00CFF9D6
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.480196630.0000000000CF0000.00000040.00000001.sdmp, Offset: 00CF0000, based on PE: false
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: d9507444f74105fbcba7f6f4674e3e7d68e56e915b23562a614189ea0d979669
                                                  • Instruction ID: 60ba7b1c553ea3dc61cd24d5579e880d9aab3eab2331df8f18003da2037f7e47
                                                  • Opcode Fuzzy Hash: d9507444f74105fbcba7f6f4674e3e7d68e56e915b23562a614189ea0d979669
                                                  • Instruction Fuzzy Hash: 2011F0B5C006098BCB10CF9AC544BDEBBF4EF89324F10842AD569B7300C774A646CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • PostMessageW.USER32(?,?,?,?), ref: 02826DC5
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.481702251.0000000002820000.00000040.00000001.sdmp, Offset: 02820000, based on PE: false
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: 2e7441e64f34d9072d0f626bc447629ed68bd5ac18723239524becfd4f75829f
                                                  • Instruction ID: 18b2796692b21d01b6e8b052ce33db28e560b1eb77ad0b651f011b1aa502866f
                                                  • Opcode Fuzzy Hash: 2e7441e64f34d9072d0f626bc447629ed68bd5ac18723239524becfd4f75829f
                                                  • Instruction Fuzzy Hash: DD1103B68002589FDB10DF9AC985BDEBFF8EB58324F108419E514B7600D775A588CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • SetWindowLongW.USER32(?,FFFFFFF4,?), ref: 04E4653D
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.486983753.0000000004E40000.00000040.00000001.sdmp, Offset: 04E40000, based on PE: false
                                                  Similarity
                                                  • API ID: LongWindow
                                                  • String ID:
                                                  • API String ID: 1378638983-0
                                                  • Opcode ID: 0cd46eab6fff1649bac301f2b00ec766d08ec837da49b0c4ca913a66222539e2
                                                  • Instruction ID: 9133102130440b2fa1dc1d8df216884f13760e223acf6b174ba58718580191cb
                                                  • Opcode Fuzzy Hash: 0cd46eab6fff1649bac301f2b00ec766d08ec837da49b0c4ca913a66222539e2
                                                  • Instruction Fuzzy Hash: 4F1128B5800649CFDB10CFA8D545BDEBBF4FB98325F108419D554B7240C778A544CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • PostMessageW.USER32(?,?,?,?), ref: 02826DC5
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.481702251.0000000002820000.00000040.00000001.sdmp, Offset: 02820000, based on PE: false
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: c6fb1f1bba87590e85d4d9cb02d6a2c8eda65b09c695d585467336cc99b1021f
                                                  • Instruction ID: 4b706420380b735228185416d1baf7311978ceb481865a12ba035de6a486cb60
                                                  • Opcode Fuzzy Hash: c6fb1f1bba87590e85d4d9cb02d6a2c8eda65b09c695d585467336cc99b1021f
                                                  • Instruction Fuzzy Hash: 6011E5B58003599FDB10DF9AC985BDEBBF8EB48324F108459D514A7600D775A584CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000017.00000002.481702251.0000000002820000.00000040.00000001.sdmp, Offset: 02820000, based on PE: false
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: d2619b5029296d96bfbc87c900d0f048c984d81fac5e096c3f0968804741a1c0
                                                  • Instruction ID: 05097e982f9ad06e9630614d19e0e8f3de2328e6efac5ca8a38e9173be3d6b50
                                                  • Opcode Fuzzy Hash: d2619b5029296d96bfbc87c900d0f048c984d81fac5e096c3f0968804741a1c0
                                                  • Instruction Fuzzy Hash: B31115B58006588FCB10CF99D548BDEBBF8EB48324F108459D518A7240D775A544CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Executed Functions

                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 02C31C88
                                                  • GetCurrentThread.KERNEL32 ref: 02C31CC5
                                                  • GetCurrentProcess.KERNEL32 ref: 02C31D02
                                                  • GetCurrentThreadId.KERNEL32 ref: 02C31D5B
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.497047861.0000000002C30000.00000040.00000001.sdmp, Offset: 02C30000, based on PE: false
                                                  Similarity
                                                  • API ID: Current$ProcessThread
                                                  • String ID:
                                                  • API String ID: 2063062207-0
                                                  • Opcode ID: 9158307f22781744381d0a38f76708fa9bb73c0fb148123bf2571c34a2c044e4
                                                  • Instruction ID: 00cf7f8204c61d5c5e8191025c9f937a679dc629533da8693b6313cf14a6c98f
                                                  • Opcode Fuzzy Hash: 9158307f22781744381d0a38f76708fa9bb73c0fb148123bf2571c34a2c044e4
                                                  • Instruction Fuzzy Hash: 225155B09006488FDB15CFA9D6887EEBBF1BF89314F248899E009B7350DB749945CF65
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 02C31C88
                                                  • GetCurrentThread.KERNEL32 ref: 02C31CC5
                                                  • GetCurrentProcess.KERNEL32 ref: 02C31D02
                                                  • GetCurrentThreadId.KERNEL32 ref: 02C31D5B
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.497047861.0000000002C30000.00000040.00000001.sdmp, Offset: 02C30000, based on PE: false
                                                  Similarity
                                                  • API ID: Current$ProcessThread
                                                  • String ID:
                                                  • API String ID: 2063062207-0
                                                  • Opcode ID: 38c94ab495c02ed8ad0764434c0df688e6c3a34a5d8f77d7765d2ce0ef4128d0
                                                  • Instruction ID: aa99c73619fcf64102ae1ceafc567c7fae8a387980cdb217cdff8f1c8425177c
                                                  • Opcode Fuzzy Hash: 38c94ab495c02ed8ad0764434c0df688e6c3a34a5d8f77d7765d2ce0ef4128d0
                                                  • Instruction Fuzzy Hash: C55155B09006488FDB15CFAAD688B9EBBF1BF88314F248899E009B7350DB749945CF65
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02C363AA
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.497047861.0000000002C30000.00000040.00000001.sdmp, Offset: 02C30000, based on PE: false
                                                  Similarity
                                                  • API ID: CreateWindow
                                                  • String ID:
                                                  • API String ID: 716092398-0
                                                  • Opcode ID: dda63a1cbb902187de2fd08faca687bc1633e98b2448bd7eb2a8a8ceb9e56cd1
                                                  • Instruction ID: 8e9b27b1a9f1929efd91748e629765a14f96ffe5fb1969325af0ece5864f6e74
                                                  • Opcode Fuzzy Hash: dda63a1cbb902187de2fd08faca687bc1633e98b2448bd7eb2a8a8ceb9e56cd1
                                                  • Instruction Fuzzy Hash: BD51E2B1D00209EFDF15CFA9D984ADEBFB5BF88314F24862AE419AB210D7749945CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02C363AA
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.497047861.0000000002C30000.00000040.00000001.sdmp, Offset: 02C30000, based on PE: false
                                                  Similarity
                                                  • API ID: CreateWindow
                                                  • String ID:
                                                  • API String ID: 716092398-0
                                                  • Opcode ID: e56ac662aaa9f58e2e090e3b147e90aa1ed4b589e58b5fcac68654aaf047c5fd
                                                  • Instruction ID: a5761b3562382b64214afb3201f9e2ca014e06bc5802b935761cdda9457fd0a1
                                                  • Opcode Fuzzy Hash: e56ac662aaa9f58e2e090e3b147e90aa1ed4b589e58b5fcac68654aaf047c5fd
                                                  • Instruction Fuzzy Hash: 1D41E0B1D00309EFDF15CF9AD984ADEBBB5BF88314F24852AE419AB210D7749985CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 02C38911
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.497047861.0000000002C30000.00000040.00000001.sdmp, Offset: 02C30000, based on PE: false
                                                  Similarity
                                                  • API ID: CallProcWindow
                                                  • String ID:
                                                  • API String ID: 2714655100-0
                                                  • Opcode ID: 2773a163b769ba9d542313540c8fcd2eb4edbed27000eba3ba1d9f1180245e00
                                                  • Instruction ID: 0ee6fb774dd0d0d71acd53c5a7128a53a09771f48c1b86fbfaf6a9c2ed3c8caf
                                                  • Opcode Fuzzy Hash: 2773a163b769ba9d542313540c8fcd2eb4edbed27000eba3ba1d9f1180245e00
                                                  • Instruction Fuzzy Hash: D4414DB4A00305CFCB14CF99C548AABBBF5FF88314F258999E519A7321D774A941CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 00E9B869
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.494299198.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: e1a59b8f82f20aea7c96e53372b610b7daf66ee02f161960d8014ab48752b872
                                                  • Instruction ID: 6da8f00d911c82d658c5517995bb423ea0100e0ee7b5e401674a5242c72070e8
                                                  • Opcode Fuzzy Hash: e1a59b8f82f20aea7c96e53372b610b7daf66ee02f161960d8014ab48752b872
                                                  • Instruction Fuzzy Hash: 1541E2B0C0061DCBDB24DFA9CA84BCEBBB5BF88308F248069D509BB251DB756945CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • DrawTextExW.USER32(?,?,?,?,?,?), ref: 0550D707
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.506014423.0000000005500000.00000040.00000001.sdmp, Offset: 05500000, based on PE: false
                                                  Similarity
                                                  • API ID: DrawText
                                                  • String ID:
                                                  • API String ID: 2175133113-0
                                                  • Opcode ID: b7d8d5e7fdd78e6b91c6efb876ff60c994cbac2e869a05a67554d2d05038467b
                                                  • Instruction ID: 0c6fbbcecae113092b3314ea18ed3e4742a6913c501b32a898e8094778d93747
                                                  • Opcode Fuzzy Hash: b7d8d5e7fdd78e6b91c6efb876ff60c994cbac2e869a05a67554d2d05038467b
                                                  • Instruction Fuzzy Hash: 3021C0B5D002099FDB10CF9AD984AEEFBF4BB48324F14842AE919A7250D774A944CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02C31ED7
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.497047861.0000000002C30000.00000040.00000001.sdmp, Offset: 02C30000, based on PE: false
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 583d556dfb44c6d978a52bb47e6a8417f46da287cd0adca54cb3398fdd61c4f5
                                                  • Instruction ID: d1baf3da02d943fb7b95ec2b8254cc8875773d1eb1e2b463e1b7cd3bb11bd5b3
                                                  • Opcode Fuzzy Hash: 583d556dfb44c6d978a52bb47e6a8417f46da287cd0adca54cb3398fdd61c4f5
                                                  • Instruction Fuzzy Hash: 7D21E3B5900249DFDB10CFAAD984AEEBFF4EB48324F14841AE959B3310D778A954CF61
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02C31ED7
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.497047861.0000000002C30000.00000040.00000001.sdmp, Offset: 02C30000, based on PE: false
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 23f8dcc373f5a58ee11c1daebf5d3d3655dd080dcde2c448dd724fe6284487cf
                                                  • Instruction ID: 493f5e0c142c05649b5ec7f0610c626d91bfc055205e42883a7cefb0adfb76b2
                                                  • Opcode Fuzzy Hash: 23f8dcc373f5a58ee11c1daebf5d3d3655dd080dcde2c448dd724fe6284487cf
                                                  • Instruction Fuzzy Hash: C921C4B5900249DFDB10CFAAD984ADEBBF8FB48324F14841AE918A3310D775A954CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E9FA51,00000800,00000000,00000000), ref: 00E9FC62
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.494299198.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false
                                                  Similarity
                                                  • API ID: LibraryLoad
                                                  • String ID:
                                                  • API String ID: 1029625771-0
                                                  • Opcode ID: b4ce7b937603beb9cd5188e1bf25db13e91b7140d964611e5924f4cdfa96d3b8
                                                  • Instruction ID: 9ba0485993b915f26fcb0dea4393f268523de7115718115d18da09fde4218232
                                                  • Opcode Fuzzy Hash: b4ce7b937603beb9cd5188e1bf25db13e91b7140d964611e5924f4cdfa96d3b8
                                                  • Instruction Fuzzy Hash: A71103B6D002099FCB10CF9AD548ADEFBF4AB88314F20842EE915B7200C774A945CFA5
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00E9F9D6
                                                  Memory Dump Source
                                                  • Source File: 00000019.00000002.494299198.0000000000E90000.00000040.00000001.sdmp, Offset: 00E90000, based on PE: false
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: 1706d55030693420c111f9b8f922d167ed4a38b2cde37abd238a7fd54956011e
                                                  • Instruction ID: b6baadb80316387d09e8a5240c61709db9f06a96be82c561ad381e77dc1c261d
                                                  • Opcode Fuzzy Hash: 1706d55030693420c111f9b8f922d167ed4a38b2cde37abd238a7fd54956011e
                                                  • Instruction Fuzzy Hash: 48110FB6C006098FCB10CF9AD544BDEFBF8AB88324F10842AD459B7700C778A545CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions

                                                  Executed Functions

                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 02826BE0
                                                  • GetCurrentThread.KERNEL32 ref: 02826C1D
                                                  • GetCurrentProcess.KERNEL32 ref: 02826C5A
                                                  • GetCurrentThreadId.KERNEL32 ref: 02826CB3
                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.495220763.0000000002820000.00000040.00000001.sdmp, Offset: 02820000, based on PE: false
                                                  Similarity
                                                  • API ID: Current$ProcessThread
                                                  • String ID:
                                                  • API String ID: 2063062207-0
                                                  • Opcode ID: dc495bc25e8185c8f302dd6026d0da92d32a194582d7e39c0bfb5a26caf87a9e
                                                  • Instruction ID: bfa0ada86adb69da51011e7ef3742864e6772f469abfb17b4ffa52c851617151
                                                  • Opcode Fuzzy Hash: dc495bc25e8185c8f302dd6026d0da92d32a194582d7e39c0bfb5a26caf87a9e
                                                  • Instruction Fuzzy Hash: 8D5144B4A047588FDB14CFA9C648B9EBBF4EF48314F208499E409B7350DB74A988CF65
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 028253E2
                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.495220763.0000000002820000.00000040.00000001.sdmp, Offset: 02820000, based on PE: false
                                                  Similarity
                                                  • API ID: CreateWindow
                                                  • String ID:
                                                  • API String ID: 716092398-0
                                                  • Opcode ID: 37ffd769f945a21980e99b0aaac991e69a515cf5de51b4bc68f3b74b38646671
                                                  • Instruction ID: a61f4cdd740db0a909d2c3742000f4c8a599d8dffa7bd4d4059a1358c5d76c90
                                                  • Opcode Fuzzy Hash: 37ffd769f945a21980e99b0aaac991e69a515cf5de51b4bc68f3b74b38646671
                                                  • Instruction Fuzzy Hash: 8151C0B5D003599FDB14CF99C984ADEBBF1BF48314F64812AE819BB210D7749989CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 028253E2
                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.495220763.0000000002820000.00000040.00000001.sdmp, Offset: 02820000, based on PE: false
                                                  Similarity
                                                  • API ID: CreateWindow
                                                  • String ID:
                                                  • API String ID: 716092398-0
                                                  • Opcode ID: 6a60d886caf2de219bf5292b772835a72e681b4aa2958eb53ae2bd8760f4e8d9
                                                  • Instruction ID: cbd468ebea665e71357664f87d2dc944d72f835e9726140cae39df0573e00865
                                                  • Opcode Fuzzy Hash: 6a60d886caf2de219bf5292b772835a72e681b4aa2958eb53ae2bd8760f4e8d9
                                                  • Instruction Fuzzy Hash: 1F41DFB5D003589FDB14CF99C984ADEBBF5BF48314F64812AE819AB210DB749889CF90
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 02827D39
                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.495220763.0000000002820000.00000040.00000001.sdmp, Offset: 02820000, based on PE: false
                                                  Similarity
                                                  • API ID: CallProcWindow
                                                  • String ID:
                                                  • API String ID: 2714655100-0
                                                  • Opcode ID: d035ab0dce71e2f15f9237ac0206e04403136ed059453d5fa127aaf8cbb85562
                                                  • Instruction ID: 21f1becdf896ef2227c9a726ef8fb4c5e712edf0112ceb07a43342274a2863ff
                                                  • Opcode Fuzzy Hash: d035ab0dce71e2f15f9237ac0206e04403136ed059453d5fa127aaf8cbb85562
                                                  • Instruction Fuzzy Hash: 25414CB8A003558FDB14CF99C548BAAFBF5FF48314F248499D519A7360D734A845CFA0
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02826E2F
                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.495220763.0000000002820000.00000040.00000001.sdmp, Offset: 02820000, based on PE: false
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 516c1182609155a012972a3521ab72407c7359a6fcd116ae152801d3fd9ea44e
                                                  • Instruction ID: de5ec3250a3b936143abc18e36356a04964d07db9204dd943a2257269ebfd688
                                                  • Opcode Fuzzy Hash: 516c1182609155a012972a3521ab72407c7359a6fcd116ae152801d3fd9ea44e
                                                  • Instruction Fuzzy Hash: 342114B59002589FDB10CFA9D984AEEBFF4EB48324F14805AE954B3310D774A954CF60
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02826E2F
                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.495220763.0000000002820000.00000040.00000001.sdmp, Offset: 02820000, based on PE: false
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: a28d4b7f77b4c0f67766d6b4764412ff6d0b1b5e31c27130374f6881d90ab8f1
                                                  • Instruction ID: 89565e10621b9e58c908295b3d38574fe10d1007dfd36e635d546fdbc899c80a
                                                  • Opcode Fuzzy Hash: a28d4b7f77b4c0f67766d6b4764412ff6d0b1b5e31c27130374f6881d90ab8f1
                                                  • Instruction Fuzzy Hash: 0621F5B59002589FDB10CFA9D984ADEFBF8FB48324F14841AE914B3310D774A954CFA1
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.494804867.0000000000F8D000.00000040.00000001.sdmp, Offset: 00F8D000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 111b6ddf7deb87678e04aea7ca785e1000ffc0c17ede088be1de443f05fdf82a
                                                  • Instruction ID: 404689ab7d4c1550c123b073d36dda8dd3f155af5edc05251564a8df1fcf5a78
                                                  • Opcode Fuzzy Hash: 111b6ddf7deb87678e04aea7ca785e1000ffc0c17ede088be1de443f05fdf82a
                                                  • Instruction Fuzzy Hash: 8321F571904240DFDB14EF64D9C4B56BB65FF84324F24C5A9D8094B38AC736D846EB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Memory Dump Source
                                                  • Source File: 0000001F.00000002.494804867.0000000000F8D000.00000040.00000001.sdmp, Offset: 00F8D000, based on PE: false
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5c835ce51a8ea4d8e5875db5bacc05e35ed27161a389dcc20ffc6c3e2262e310
                                                  • Instruction ID: 318633f73a6bc347872a90555b47082079709dc815426963aa255b1a2ce283b1
                                                  • Opcode Fuzzy Hash: 5c835ce51a8ea4d8e5875db5bacc05e35ed27161a389dcc20ffc6c3e2262e310
                                                  • Instruction Fuzzy Hash: 6F2180755093C08FCB12CF20D990755BF71EF46324F28C5EAD8498B697C33A980ACB62
                                                  Uniqueness

                                                  Uniqueness Score: -1.00%

                                                  Non-executed Functions