Loading ...

Play interactive tourEdit tour

Windows Analysis Report 6LS4xS6TKn.exe

Overview

General Information

Sample Name:6LS4xS6TKn.exe
Analysis ID:452668
MD5:118f0e5d6a1c91a5b820741669c495d7
SHA1:933d498bf7eea29d1dedd4b597692d62c6dc53d4
SHA256:16d0e36df66a1ba451c25a5f5c1fcccca5cb415a81cb8820f89811232c4fc3b3
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • 6LS4xS6TKn.exe (PID: 4260 cmdline: 'C:\Users\user\Desktop\6LS4xS6TKn.exe' MD5: 118F0E5D6A1C91A5B820741669C495D7)
    • schtasks.exe (PID: 4300 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yuNCTcaeT' /XML 'C:\Users\user\AppData\Local\Temp\tmp74F3.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • 6LS4xS6TKn.exe (PID: 6048 cmdline: {path} MD5: 118F0E5D6A1C91A5B820741669C495D7)
  • MLdAu.exe (PID: 6108 cmdline: 'C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe' MD5: 118F0E5D6A1C91A5B820741669C495D7)
    • schtasks.exe (PID: 3148 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yuNCTcaeT' /XML 'C:\Users\user\AppData\Local\Temp\tmpAB9F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • MLdAu.exe (PID: 1392 cmdline: {path} MD5: 118F0E5D6A1C91A5B820741669C495D7)
  • MLdAu.exe (PID: 5432 cmdline: 'C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe' MD5: 118F0E5D6A1C91A5B820741669C495D7)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "account@jiqdyi.com", "Password": "Emotion22", "Host": "mail.spamora.net"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001F.00000002.490664959.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000001F.00000002.490664959.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000017.00000002.484767094.000000000399B000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000017.00000002.484767094.000000000399B000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000000.00000002.313750267.0000000003FAB000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.6LS4xS6TKn.exe.406f160.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.6LS4xS6TKn.exe.406f160.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                31.2.MLdAu.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  31.2.MLdAu.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    23.2.MLdAu.exe.3a5f160.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 5 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 31.2.MLdAu.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "account@jiqdyi.com", "Password": "Emotion22", "Host": "mail.spamora.net"}
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeReversingLabs: Detection: 30%
                      Source: C:\Users\user\AppData\Roaming\yuNCTcaeT.exeReversingLabs: Detection: 30%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 6LS4xS6TKn.exeVirustotal: Detection: 37%Perma Link
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\yuNCTcaeT.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: 6LS4xS6TKn.exeJoe Sandbox ML: detected
                      Source: 31.2.MLdAu.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 6LS4xS6TKn.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: 6LS4xS6TKn.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: MLdAu.exe, 0000001F.00000002.496038864.00000000029F1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: MLdAu.exe, 0000001F.00000002.496038864.00000000029F1000.00000004.00000001.sdmpString found in binary or memory: http://BGwprh.com
                      Source: MLdAu.exe, 0000001F.00000002.496038864.00000000029F1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.310375251.0000000002F51000.00000004.00000001.sdmp, MLdAu.exe, 00000017.00000002.481802718.0000000002941000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.221602372.00000000059D5000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.221602372.00000000059D5000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coman
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.221602372.00000000059D5000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.222072740.00000000059D5000.00000004.00000001.sdmp, 6LS4xS6TKn.exe, 00000000.00000003.221373047.00000000059D5000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comva
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.225393927.00000000059CC000.00000004.00000001.sdmp, 6LS4xS6TKn.exe, 00000000.00000003.226229966.00000000059D2000.00000004.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.228775740.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.226229966.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFc9
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.226229966.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.226229966.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalicN9
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.226229966.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsd
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.226229966.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsj9
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.226229966.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.228775740.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrita
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.228620224.00000000059D8000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comiona
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.228620224.00000000059D8000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.222647223.00000000059D5000.00000004.00000001.sdmp, 6LS4xS6TKn.exe, 00000000.00000003.221602372.00000000059D5000.00000004.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.220285896.00000000059D3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.220134437.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cner
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.220502768.00000000059D3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnvan
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.220502768.00000000059D3000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnze
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.227126282.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.227126282.00000000059D0000.00000004.00000001.sdmp, 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.227126282.00000000059D0000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmS
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.223180754.00000000059C8000.00000004.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.223180754.00000000059C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/29
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.224006332.00000000059C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/N9
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.223180754.00000000059C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Q9
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.224006332.00000000059C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/X
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.223180754.00000000059C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0P
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.224006332.00000000059C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0r
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.223180754.00000000059C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/c9
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.222989262.00000000059D4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/j9
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.223180754.00000000059C8000.00000004.00000001.sdmp, 6LS4xS6TKn.exe, 00000000.00000003.224006332.00000000059C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.223180754.00000000059C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/j9
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.223180754.00000000059C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ltt
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.224006332.00000000059C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/oi
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.223180754.00000000059C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s-e
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.224006332.00000000059C8000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.323812186.00000000067A0000.00000002.00000001.sdmp, MLdAu.exe, 00000017.00000002.489169932.0000000006090000.00000002.00000001.sdmp, MLdAu.exe, 00000019.00000002.506598574.0000000006410000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: 6LS4xS6TKn.exe, 00000000.00000003.221128152.00000000059D5000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
                      Source: MLdAu.exe, 0000001F.00000002.496038864.00000000029F1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: MLdAu.exe, 0000001F.00000002.496038864.00000000029F1000.00000004.00000001.sdmpString found in binary or memory: https://login.blockchain.com/
                      Source: MLdAu.exe, 0000001F.00000002.496038864.00000000029F1000.00000004.00000001.sdmpString found in binary or memory: https://login.blockchain.com/ObjectLengthChainingModeGCMAuthTagLengthChainingModeKeyDataBlobAESMicro
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.313750267.0000000003FAB000.00000004.00000001.sdmp, MLdAu.exe, 00000017.00000002.484767094.000000000399B000.00000004.00000001.sdmp, MLdAu.exe, 0000001F.00000002.490664959.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: MLdAu.exe, 0000001F.00000002.496038864.00000000029F1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: MLdAu.exe, 00000017.00000002.480314370.0000000000D18000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeCode function: 0_2_02D222400_2_02D22240
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeCode function: 0_2_02D210180_2_02D21018
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeCode function: 0_2_02D231B00_2_02D231B0
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeCode function: 0_2_02D218200_2_02D21820
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeCode function: 0_2_02D21CA70_2_02D21CA7
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeCode function: 0_2_02D222300_2_02D22230
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeCode function: 0_2_02D240100_2_02D24010
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeCode function: 0_2_02D240200_2_02D24020
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeCode function: 0_2_02D204D10_2_02D204D1
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeCode function: 0_2_02D204E00_2_02D204E0
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeCode function: 0_2_02D24B700_2_02D24B70
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeCode function: 0_2_02D24B600_2_02D24B60
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF224023_2_00CF2240
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF101823_2_00CF1018
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF31B023_2_00CF31B0
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF182023_2_00CF1820
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF1CA723_2_00CF1CA7
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF401023_2_00CF4010
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF402023_2_00CF4020
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF223023_2_00CF2230
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF04D323_2_00CF04D3
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF04E023_2_00CF04E0
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF4B6323_2_00CF4B63
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF4B7023_2_00CF4B70
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF100723_2_00CF1007
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF31A023_2_00CF31A0
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF520023_2_00CF5200
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF521023_2_00CF5210
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF542123_2_00CF5421
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF543023_2_00CF5430
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF569923_2_00CF5699
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF56A823_2_00CF56A8
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF588823_2_00CF5888
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF587B23_2_00CF587B
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF181123_2_00CF1811
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_02823B3023_2_02823B30
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_02822B6823_2_02822B68
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_0282389A23_2_0282389A
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_0282010023_2_02820100
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_02820AE023_2_02820AE0
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_02820AF023_2_02820AF0
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_02823B2123_2_02823B21
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_02822B5823_2_02822B58
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_028238F223_2_028238F2
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_028200F023_2_028200F0
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_0282581023_2_02825810
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_0282582023_2_02825820
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_0282385823_2_02823858
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_0282060023_2_02820600
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_0282356923_2_02823569
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_04E457B423_2_04E457B4
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_04E4659023_2_04E46590
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_04E4470323_2_04E44703
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_04E4471023_2_04E44710
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_04E4271C23_2_04E4271C
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E9224025_2_00E92240
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E9101825_2_00E91018
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E931B025_2_00E931B0
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E9182025_2_00E91820
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E91CA725_2_00E91CA7
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E9402025_2_00E94020
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E9401025_2_00E94010
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E904E025_2_00E904E0
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E904D125_2_00E904D1
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E94B6025_2_00E94B60
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E94B7025_2_00E94B70
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E9521025_2_00E95210
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E9543025_2_00E95430
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E956A825_2_00E956A8
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E9588825_2_00E95888
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_02C357B425_2_02C357B4
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_02C3470325_2_02C34703
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_02C3471025_2_02C34710
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_02C3271C25_2_02C3271C
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_02C3659025_2_02C36590
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_0550745C25_2_0550745C
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 31_2_028248E031_2_028248E0
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 31_2_028248DB31_2_028248DB
                      Source: 6LS4xS6TKn.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: yuNCTcaeT.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.324715364.0000000007B90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs 6LS4xS6TKn.exe
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.312300179.000000000322D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameResource_Meter.dll> vs 6LS4xS6TKn.exe
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.313750267.0000000003FAB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameujwgwcyhtpqCnYQxVzecNLZpOeEfHt.exe4 vs 6LS4xS6TKn.exe
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.324598373.0000000007A30000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 6LS4xS6TKn.exe
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.324598373.0000000007A30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 6LS4xS6TKn.exe
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.324532162.00000000079E0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 6LS4xS6TKn.exe
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.308987579.0000000000C59000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameqem4S.exe2 vs 6LS4xS6TKn.exe
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.319983939.00000000054B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 6LS4xS6TKn.exe
                      Source: 6LS4xS6TKn.exe, 00000012.00000000.308204527.0000000000959000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameqem4S.exe2 vs 6LS4xS6TKn.exe
                      Source: 6LS4xS6TKn.exeBinary or memory string: OriginalFilenameqem4S.exe2 vs 6LS4xS6TKn.exe
                      Source: 6LS4xS6TKn.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: 6LS4xS6TKn.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: yuNCTcaeT.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@13/7@0/0
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeFile created: C:\Users\user\AppData\Roaming\yuNCTcaeT.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeMutant created: \Sessions\1\BaseNamedObjects\sDHgnvwda
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4604:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1328:120:WilError_01
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeFile created: C:\Users\user\AppData\Local\Temp\tmp74F3.tmpJump to behavior
                      Source: 6LS4xS6TKn.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: 6LS4xS6TKn.exeVirustotal: Detection: 37%
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeFile read: C:\Users\user\Desktop\6LS4xS6TKn.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\6LS4xS6TKn.exe 'C:\Users\user\Desktop\6LS4xS6TKn.exe'
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yuNCTcaeT' /XML 'C:\Users\user\AppData\Local\Temp\tmp74F3.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess created: C:\Users\user\Desktop\6LS4xS6TKn.exe {path}
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe 'C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe 'C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe'
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yuNCTcaeT' /XML 'C:\Users\user\AppData\Local\Temp\tmpAB9F.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess created: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe {path}
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yuNCTcaeT' /XML 'C:\Users\user\AppData\Local\Temp\tmp74F3.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess created: C:\Users\user\Desktop\6LS4xS6TKn.exe {path}Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yuNCTcaeT' /XML 'C:\Users\user\AppData\Local\Temp\tmpAB9F.tmp'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess created: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe {path}Jump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: 6LS4xS6TKn.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: 6LS4xS6TKn.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: 6LS4xS6TKn.exe, uNotepad/Form1.cs.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeCode function: 0_2_00BD9686 push ss; ret 0_2_00BD96AD
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeCode function: 0_2_00BD73C5 push edi; retf 0_2_00BD73DB
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeCode function: 0_2_02D261EA push edx; iretd 0_2_02D261EB
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeCode function: 0_2_02D22A4F push edi; retf 0_2_02D22A51
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_005473C5 push edi; retf 23_2_005473DB
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00549686 push ss; ret 23_2_005496AD
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF61EA push edx; iretd 23_2_00CF61EB
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF6365 pushad ; iretd 23_2_00CF6372
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF6360 pushad ; iretd 23_2_00CF6362
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF632F pushad ; iretd 23_2_00CF6332
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF2A4F push edi; retf 23_2_00CF2A51
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF0FD0 push cs; iretd 23_2_00CF0FD6
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF0FE3 push es; iretd 23_2_00CF0FFE
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF0F9B push es; iretd 23_2_00CF0FA6
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_00CF0F90 push es; iretd 23_2_00CF0F9A
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 23_2_0282994D push FFFFFF8Bh; iretd 23_2_0282994F
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_007F73C5 push edi; retf 25_2_007F73DB
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_007F9686 push ss; ret 25_2_007F96AD
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E961EA push edx; iretd 25_2_00E961EB
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_00E92A4F push edi; retf 25_2_00E92A51
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_02C3E3D0 push cs; retf 0002h25_2_02C3E3D2
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_02C3E331 push cs; retf 0002h25_2_02C3E332
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_02C3FA88 push ds; retf 0002h25_2_02C3FA8A
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_02C3FAB8 push ds; retf 0002h25_2_02C3FABA
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_02C3FB80 push ds; retf 0002h25_2_02C3FB82
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_02C3FB09 push ds; retf 0002h25_2_02C3FB0A
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_02C3FCC8 push ds; retf 0002h25_2_02C3FCCA
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_02C3FC6F push ds; retf 0002h25_2_02C3FC72
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_055064A0 pushad ; retf 0002h25_2_055064F2
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_05504378 push eax; retf 0002h25_2_055043CA
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeCode function: 25_2_0550E502 push E802005Eh; ret 25_2_0550E509
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.70847292155
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.70847292155
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeFile created: C:\Users\user\AppData\Roaming\yuNCTcaeT.exeJump to dropped file
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeFile created: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yuNCTcaeT' /XML 'C:\Users\user\AppData\Local\Temp\tmp74F3.tmp'
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MLdAuJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MLdAuJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeFile opened: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: Process Memory Space: MLdAu.exe PID: 6108, type: MEMORY
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.310375251.0000000002F51000.00000004.00000001.sdmp, MLdAu.exe, 00000017.00000002.481802718.0000000002941000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: 6LS4xS6TKn.exe, 00000000.00000002.310375251.0000000002F51000.00000004.00000001.sdmp, MLdAu.exe, 00000017.00000002.481802718.0000000002941000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeWindow / User API: threadDelayed 956Jump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeWindow / User API: threadDelayed 8891Jump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exe TID: 5280Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exe TID: 5700Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exe TID: 1828Thread sleep time: -21213755684765971s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe TID: 5436Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe TID: 6040Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: MLdAu.exe, 00000017.00000002.481802718.0000000002941000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                      Source: MLdAu.exe, 00000017.00000002.481802718.0000000002941000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: MLdAu.exe, 00000017.00000002.481802718.0000000002941000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: MLdAu.exe, 00000017.00000002.481802718.0000000002941000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: MLdAu.exe, 00000017.00000002.481802718.0000000002941000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: MLdAu.exe, 00000017.00000002.481802718.0000000002941000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: MLdAu.exe, 00000017.00000002.481802718.0000000002941000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: MLdAu.exe, 00000017.00000002.481802718.0000000002941000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: MLdAu.exe, 00000017.00000002.481802718.0000000002941000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeMemory written: C:\Users\user\Desktop\6LS4xS6TKn.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeMemory written: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yuNCTcaeT' /XML 'C:\Users\user\AppData\Local\Temp\tmp74F3.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeProcess created: C:\Users\user\Desktop\6LS4xS6TKn.exe {path}Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\yuNCTcaeT' /XML 'C:\Users\user\AppData\Local\Temp\tmpAB9F.tmp'Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exeProcess created: C:\Users\user\AppData\Roaming\MLdAu\MLdAu.exe {path}Jump to behavior
                      Source: MLdAu.exe, 00000019.00000002.495400726.0000000001630000.00000002.00000001.sdmp, MLdAu.exe, 0000001F.00000002.494918317.0000000001360000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: MLdAu.exe, 00000019.00000002.495400726.0000000001630000.00000002.00000001.sdmp, MLdAu.exe, 0000001F.00000002.494918317.0000000001360000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: MLdAu.exe, 00000019.00000002.495400726.0000000001630000.00000002.00000001.sdmp, MLdAu.exe, 0000001F.00000002.494918317.0000000001360000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: MLdAu.exe, 00000019.00000002.495400726.0000000001630000.00000002.00000001.sdmp, MLdAu.exe, 0000001F.00000002.494918317.0000000001360000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Users\user\Desktop\6LS4xS6TKn.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\6LS4xS6TKn.exeQueries vo