Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 2y6ArAJdV8xhjVU.exe

Overview

General Information

Sample Name:2y6ArAJdV8xhjVU.exe
Analysis ID:458853
MD5:b22c23cbda4b549dcdb5cacef0fd0eba
SHA1:1834e18b188a8f22b98eb2e6da889bf2e3a02288
SHA256:18419e6e5e1179bd6a0fb280edd651562ed51d1ad93b79b04d3bf7df06212f0c
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AgentTesla
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • 2y6ArAJdV8xhjVU.exe (PID: 5552 cmdline: 'C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exe' MD5: B22C23CBDA4B549DCDB5CACEF0FD0EBA)
    • 2y6ArAJdV8xhjVU.exe (PID: 5856 cmdline: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exe MD5: B22C23CBDA4B549DCDB5CACEF0FD0EBA)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "logs2@agceram.com", "Password": "opVnsZA7", "Host": "smtp.agceram.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.476684551.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000002.476684551.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000005.00000002.488444728.00000000031E1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000002.488444728.00000000031E1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: 2y6ArAJdV8xhjVU.exe PID: 5856JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.2y6ArAJdV8xhjVU.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              5.2.2y6ArAJdV8xhjVU.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security

                Sigma Overview

                No Sigma rule has matched

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: 5.2.2y6ArAJdV8xhjVU.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "logs2@agceram.com", "Password": "opVnsZA7", "Host": "smtp.agceram.com"}
                Multi AV Scanner detection for submitted fileShow sources
                Source: 2y6ArAJdV8xhjVU.exeVirustotal: Detection: 40%Perma Link
                Source: 2y6ArAJdV8xhjVU.exeMetadefender: Detection: 40%Perma Link
                Source: 2y6ArAJdV8xhjVU.exeReversingLabs: Detection: 70%
                Machine Learning detection for sampleShow sources
                Source: 2y6ArAJdV8xhjVU.exeJoe Sandbox ML: detected
                Source: 5.2.2y6ArAJdV8xhjVU.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 2y6ArAJdV8xhjVU.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: 2y6ArAJdV8xhjVU.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49734 -> 208.91.199.225:587
                Source: global trafficTCP traffic: 192.168.2.3:49734 -> 208.91.199.225:587
                Source: Joe Sandbox ViewIP Address: 208.91.199.225 208.91.199.225
                Source: global trafficTCP traffic: 192.168.2.3:49734 -> 208.91.199.225:587
                Source: unknownDNS traffic detected: queries for: smtp.agceram.com
                Source: 2y6ArAJdV8xhjVU.exe, 00000005.00000002.488444728.00000000031E1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: 2y6ArAJdV8xhjVU.exe, 00000005.00000002.488444728.00000000031E1000.00000004.00000001.sdmpString found in binary or memory: http://CRIuUA.com
                Source: 2y6ArAJdV8xhjVU.exe, 00000005.00000002.488444728.00000000031E1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: 2y6ArAJdV8xhjVU.exe, 00000005.00000002.485722389.00000000016B2000.00000004.00000020.sdmpString found in binary or memory: http://go.microsoft.c
                Source: 2y6ArAJdV8xhjVU.exe, 00000005.00000002.489515982.000000000353A000.00000004.00000001.sdmpString found in binary or memory: http://smtp.agceram.com
                Source: 2y6ArAJdV8xhjVU.exe, 00000005.00000002.489515982.000000000353A000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                Source: 2y6ArAJdV8xhjVU.exe, 00000005.00000002.488444728.00000000031E1000.00000004.00000001.sdmpString found in binary or memory: https://Y0Lt9hSgtUIwhE.com
                Source: 2y6ArAJdV8xhjVU.exe, 00000005.00000002.488444728.00000000031E1000.00000004.00000001.sdmpString found in binary or memory: https://Y0Lt9hSgtUIwhE.coml
                Source: 2y6ArAJdV8xhjVU.exe, 00000005.00000002.488444728.00000000031E1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                Source: 2y6ArAJdV8xhjVU.exe, 00000005.00000002.488444728.00000000031E1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                Source: 2y6ArAJdV8xhjVU.exe, 00000005.00000002.476684551.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: 2y6ArAJdV8xhjVU.exe, 00000005.00000002.488444728.00000000031E1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                System Summary:

                barindex
                .NET source code contains very large array initializationsShow sources
                Source: 5.2.2y6ArAJdV8xhjVU.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b83720432u002d3E46u002d4203u002dA0A5u002d0184F2945405u007d/D8E57D24u002dD36Cu002d43DFu002d9764u002dDEE4F51D3C47.csLarge array initialization: .cctor: array initializer size 11946
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeCode function: 5_2_015701125_2_01570112
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeCode function: 5_2_0157E8705_2_0157E870
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeCode function: 5_2_015760385_2_01576038
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeCode function: 5_2_0157C6785_2_0157C678
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeCode function: 5_2_0157EF405_2_0157EF40
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeCode function: 5_2_01579F885_2_01579F88
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeCode function: 5_2_015772105_2_01577210
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeCode function: 5_2_0161B9985_2_0161B998
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeCode function: 5_2_016169605_2_01616960
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeCode function: 5_2_019146A05_2_019146A0
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeCode function: 5_2_019135C45_2_019135C4
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeCode function: 5_2_019145B05_2_019145B0
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeCode function: 5_2_019145F05_2_019145F0
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeCode function: 5_2_019146305_2_01914630
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeCode function: 5_2_019146505_2_01914650
                Source: 2y6ArAJdV8xhjVU.exe, 00000000.00000000.208142277.0000000000702000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNamespaceResolveEventAr.exe: vs 2y6ArAJdV8xhjVU.exe
                Source: 2y6ArAJdV8xhjVU.exe, 00000005.00000002.484961171.0000000001580000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 2y6ArAJdV8xhjVU.exe
                Source: 2y6ArAJdV8xhjVU.exe, 00000005.00000002.492960765.0000000006340000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs 2y6ArAJdV8xhjVU.exe
                Source: 2y6ArAJdV8xhjVU.exe, 00000005.00000002.485660783.000000000168A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 2y6ArAJdV8xhjVU.exe
                Source: 2y6ArAJdV8xhjVU.exe, 00000005.00000002.476684551.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameHxGDUJyPqyYPtjyKMphcZWzflhoJwphKaTFek.exe4 vs 2y6ArAJdV8xhjVU.exe
                Source: 2y6ArAJdV8xhjVU.exe, 00000005.00000002.483386738.0000000001338000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 2y6ArAJdV8xhjVU.exe
                Source: 2y6ArAJdV8xhjVU.exe, 00000005.00000000.253307845.0000000000F82000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNamespaceResolveEventAr.exe: vs 2y6ArAJdV8xhjVU.exe
                Source: 2y6ArAJdV8xhjVU.exeBinary or memory string: OriginalFilenameNamespaceResolveEventAr.exe: vs 2y6ArAJdV8xhjVU.exe
                Source: 2y6ArAJdV8xhjVU.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: 2y6ArAJdV8xhjVU.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: 2y6ArAJdV8xhjVU.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                Source: 5.2.2y6ArAJdV8xhjVU.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 5.2.2y6ArAJdV8xhjVU.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/1
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2y6ArAJdV8xhjVU.exe.logJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeMutant created: \Sessions\1\BaseNamedObjects\LIgaOfjxnPIlQAlVuXcJTWfoW
                Source: 2y6ArAJdV8xhjVU.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: 2y6ArAJdV8xhjVU.exeVirustotal: Detection: 40%
                Source: 2y6ArAJdV8xhjVU.exeMetadefender: Detection: 40%
                Source: 2y6ArAJdV8xhjVU.exeReversingLabs: Detection: 70%
                Source: unknownProcess created: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exe 'C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exe'
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess created: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exe C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exe
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess created: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exe C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: 2y6ArAJdV8xhjVU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: 2y6ArAJdV8xhjVU.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: 2y6ArAJdV8xhjVU.exeStatic file information: File size 1372672 > 1048576
                Source: 2y6ArAJdV8xhjVU.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x14e600
                Source: 2y6ArAJdV8xhjVU.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: initial sampleStatic PE information: section name: .text entropy: 7.78586329539
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion:

                barindex
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeWindow / User API: threadDelayed 1869Jump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeWindow / User API: threadDelayed 7957Jump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exe TID: 5084Thread sleep time: -43034s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exe TID: 4364Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exe TID: 5320Thread sleep time: -18446744073709540s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exe TID: 5672Thread sleep count: 1869 > 30Jump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exe TID: 5672Thread sleep count: 7957 > 30Jump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeThread delayed: delay time: 43034Jump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: 2y6ArAJdV8xhjVU.exe, 00000005.00000002.492960765.0000000006340000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: 2y6ArAJdV8xhjVU.exe, 00000005.00000002.492960765.0000000006340000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: 2y6ArAJdV8xhjVU.exe, 00000005.00000002.492960765.0000000006340000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: 2y6ArAJdV8xhjVU.exe, 00000005.00000002.486106741.000000000171C000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 2y6ArAJdV8xhjVU.exe, 00000005.00000002.492960765.0000000006340000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeCode function: 5_2_01579440 LdrInitializeThunk,5_2_01579440
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                Injects a PE file into a foreign processesShow sources
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeMemory written: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeProcess created: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exe C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeJump to behavior
                Source: 2y6ArAJdV8xhjVU.exe, 00000005.00000002.487846806.0000000001CD0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: 2y6ArAJdV8xhjVU.exe, 00000005.00000002.487846806.0000000001CD0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: 2y6ArAJdV8xhjVU.exe, 00000005.00000002.487846806.0000000001CD0000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: 2y6ArAJdV8xhjVU.exe, 00000005.00000002.487846806.0000000001CD0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 5.2.2y6ArAJdV8xhjVU.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.476684551.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 5.2.2y6ArAJdV8xhjVU.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.476684551.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.488444728.00000000031E1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 2y6ArAJdV8xhjVU.exe PID: 5856, type: MEMORYSTR
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)Show sources
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Tries to harvest and steal ftp login credentialsShow sources
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                Tries to steal Mail credentials (via file access)Show sources
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Yara matchFile source: 00000005.00000002.488444728.00000000031E1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 2y6ArAJdV8xhjVU.exe PID: 5856, type: MEMORYSTR

                Remote Access Functionality:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 5.2.2y6ArAJdV8xhjVU.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.476684551.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 5.2.2y6ArAJdV8xhjVU.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.476684551.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.488444728.00000000031E1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 2y6ArAJdV8xhjVU.exe PID: 5856, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Credentials in Registry1Security Software Discovery111Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                2y6ArAJdV8xhjVU.exe40%VirustotalBrowse
                2y6ArAJdV8xhjVU.exe49%MetadefenderBrowse
                2y6ArAJdV8xhjVU.exe70%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                2y6ArAJdV8xhjVU.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                5.2.2y6ArAJdV8xhjVU.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://smtp.agceram.com0%Avira URL Cloudsafe
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://go.microsoft.c0%Avira URL Cloudsafe
                https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                http://DynDns.comDynDNS0%URL Reputationsafe
                https://Y0Lt9hSgtUIwhE.coml0%Avira URL Cloudsafe
                https://Y0Lt9hSgtUIwhE.com0%Avira URL Cloudsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://api.ipify.org%0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                http://CRIuUA.com0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                us2.smtp.mailhostbox.com
                		208.91.199.225
                		truefalse
                  		high
                  smtp.agceram.com
                  		unknown
                  		unknowntrue
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://smtp.agceram.com2y6ArAJdV8xhjVU.exe, 00000005.00000002.489515982.000000000353A000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://127.0.0.1:HTTP/1.12y6ArAJdV8xhjVU.exe, 00000005.00000002.488444728.00000000031E1000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://go.microsoft.c2y6ArAJdV8xhjVU.exe, 00000005.00000002.485722389.00000000016B2000.00000004.00000020.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://api.ipify.org%GETMozilla/5.02y6ArAJdV8xhjVU.exe, 00000005.00000002.488444728.00000000031E1000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		low
                    http://DynDns.comDynDNS2y6ArAJdV8xhjVU.exe, 00000005.00000002.488444728.00000000031E1000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://Y0Lt9hSgtUIwhE.coml2y6ArAJdV8xhjVU.exe, 00000005.00000002.488444728.00000000031E1000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://Y0Lt9hSgtUIwhE.com2y6ArAJdV8xhjVU.exe, 00000005.00000002.488444728.00000000031E1000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://us2.smtp.mailhostbox.com2y6ArAJdV8xhjVU.exe, 00000005.00000002.489515982.000000000353A000.00000004.00000001.sdmpfalse
                      		high
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha2y6ArAJdV8xhjVU.exe, 00000005.00000002.488444728.00000000031E1000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.ipify.org%2y6ArAJdV8xhjVU.exe, 00000005.00000002.488444728.00000000031E1000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		low
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip2y6ArAJdV8xhjVU.exe, 00000005.00000002.476684551.0000000000402000.00000040.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://CRIuUA.com2y6ArAJdV8xhjVU.exe, 00000005.00000002.488444728.00000000031E1000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown

                      Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public

                      IPDomainCountryFlagASNASN NameMalicious
                      208.91.199.225
                      		us2.smtp.mailhostbox.comUnited States
                      		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                      General Information

                      Joe Sandbox Version:33.0.0 White Diamond
                      Analysis ID:458853
                      Start date:03.08.2021
                      Start time:19:52:21
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 7m 13s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Sample file name:2y6ArAJdV8xhjVU.exe
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                      Number of analysed new started processes analysed:25
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@3/1@2/1
                      EGA Information:Failed
                      HDC Information:
                      • Successful, ratio: 0.3% (good quality ratio 0.3%)
                      • Quality average: 56.4%
                      • Quality standard deviation: 21.5%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 32
                      • Number of non-executed functions: 3
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Found application associated with file extension: .exe
                      Warnings:
                      Show All
                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
                      • Excluded IPs from analysis (whitelisted): 13.64.90.137, 23.211.6.115, 13.88.21.125, 52.147.198.201, 23.211.4.86, 20.82.210.154, 40.112.88.60, 20.82.209.104, 80.67.82.211, 80.67.82.235, 20.50.102.62
                      • Excluded domains from analysis (whitelisted): skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, arc.msn.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, iris-de-ppe-azsc-neu.northeurope.cloudapp.azure.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus15.cloudapp.net
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      19:53:31API Interceptor638x Sleep call for process: 2y6ArAJdV8xhjVU.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      208.91.199.225MFS0175, MFS0117 MFS0194.exeGet hashmaliciousBrowse
                        MJLkaPZomUolseU.exeGet hashmaliciousBrowse
                          Scan#0068-46c3367.exeGet hashmaliciousBrowse
                            Quotation.exeGet hashmaliciousBrowse
                              PURCHASE ORDER PO09377 _093640_9307355_264378_88479_0E974.exeGet hashmaliciousBrowse
                                Waybill Doc_027942941.exeGet hashmaliciousBrowse
                                  Remittance Advise.docGet hashmaliciousBrowse
                                    PO 98246.exeGet hashmaliciousBrowse
                                      DHL JULY STATEMENT OF ACCOUNT.exeGet hashmaliciousBrowse
                                        DOCS.exeGet hashmaliciousBrowse
                                          SecuriteInfo.com.Variant.Zusy.394472.4088.exeGet hashmaliciousBrowse
                                            ORDER SKYMET 847759 REVISED PDF.exeGet hashmaliciousBrowse
                                              Aditi Tiwari Resume.pdf.exeGet hashmaliciousBrowse
                                                SecuriteInfo.com.W32.AIDetect.malware1.17748.exeGet hashmaliciousBrowse
                                                  NEW RFQ FROM WEB AFRITECH.docGet hashmaliciousBrowse
                                                    Paiement de facture.docGet hashmaliciousBrowse
                                                      8pOKNeu63F.exeGet hashmaliciousBrowse
                                                        RFQ-20211307_Tiles Blue Limestone, terminal box fiber optics.docGet hashmaliciousBrowse
                                                          ok1.exeGet hashmaliciousBrowse
                                                            swift copy pdf.exeGet hashmaliciousBrowse

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              us2.smtp.mailhostbox.comMFS0175, MFS0117 MFS0194.exeGet hashmaliciousBrowse
                                                              • 208.91.199.223
                                                              Purchase Order No.48743310321-RCN.pdf.exeGet hashmaliciousBrowse
                                                              • 208.91.198.143
                                                              SOA.exeGet hashmaliciousBrowse
                                                              • 208.91.198.143
                                                              MJLkaPZomUolseU.exeGet hashmaliciousBrowse
                                                              • 208.91.199.225
                                                              SecuriteInfo.com.Trojan.MSIL.Kryptik.56a80396.11710.exeGet hashmaliciousBrowse
                                                              • 208.91.199.224
                                                              Invoice.exeGet hashmaliciousBrowse
                                                              • 208.91.198.143
                                                              Scan#0068-46c3367.exeGet hashmaliciousBrowse
                                                              • 208.91.198.143
                                                              Scan#0068-46c3366.exeGet hashmaliciousBrowse
                                                              • 208.91.199.223
                                                              IMG-20210802-WA0587-085.exeGet hashmaliciousBrowse
                                                              • 208.91.198.143
                                                              IMG-20210802-WA0587-087.exeGet hashmaliciousBrowse
                                                              • 208.91.198.143
                                                              Quotation.exeGet hashmaliciousBrowse
                                                              • 208.91.199.225
                                                              PURCHASE ORDER PO09377 _093640_9307355_264378_88479_0E974.exeGet hashmaliciousBrowse
                                                              • 208.91.199.225
                                                              order.PDF.exeGet hashmaliciousBrowse
                                                              • 208.91.198.143
                                                              RFQ #7696679TTR6F.exeGet hashmaliciousBrowse
                                                              • 208.91.199.224
                                                              Waybill Doc_027942941.exeGet hashmaliciousBrowse
                                                              • 208.91.199.225
                                                              Confirmaci#U00f3n de pago .exeGet hashmaliciousBrowse
                                                              • 208.91.199.224
                                                              oBNvb4c6bg.exeGet hashmaliciousBrowse
                                                              • 208.91.199.224
                                                              TVz86np48Z.exeGet hashmaliciousBrowse
                                                              • 208.91.199.223
                                                              Current Vendor Payment Application .docGet hashmaliciousBrowse
                                                              • 208.91.199.224
                                                              XiAn Sunnstatement 27-07-2021 pdf.exeGet hashmaliciousBrowse
                                                              • 208.91.199.223

                                                              ASN

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              PUBLIC-DOMAIN-REGISTRYUSMFS0175, MFS0117 MFS0194.exeGet hashmaliciousBrowse
                                                              • 208.91.199.223
                                                              Purchase Order No.48743310321-RCN.pdf.exeGet hashmaliciousBrowse
                                                              • 208.91.198.143
                                                              SOA.exeGet hashmaliciousBrowse
                                                              • 208.91.198.143
                                                              QUOTATION LIST FOR NEW ORDER.exeGet hashmaliciousBrowse
                                                              • 204.11.58.233
                                                              MJLkaPZomUolseU.exeGet hashmaliciousBrowse
                                                              • 208.91.199.225
                                                              SecuriteInfo.com.Trojan.MSIL.Kryptik.56a80396.11710.exeGet hashmaliciousBrowse
                                                              • 208.91.199.224
                                                              Invoice.exeGet hashmaliciousBrowse
                                                              • 208.91.198.143
                                                              Scan#0068-46c3367.exeGet hashmaliciousBrowse
                                                              • 208.91.199.224
                                                              Scan#0068-46c3366.exeGet hashmaliciousBrowse
                                                              • 208.91.199.223
                                                              bin.exeGet hashmaliciousBrowse
                                                              • 119.18.54.122
                                                              IMG-20210802-WA0587-085.exeGet hashmaliciousBrowse
                                                              • 208.91.199.224
                                                              IMG-20210802-WA0587-087.exeGet hashmaliciousBrowse
                                                              • 208.91.198.143
                                                              Quotation.exeGet hashmaliciousBrowse
                                                              • 208.91.199.224
                                                              QUOTE 04202021.exeGet hashmaliciousBrowse
                                                              • 103.21.58.16
                                                              PURCHASE ORDER PO09377 _093640_9307355_264378_88479_0E974.exeGet hashmaliciousBrowse
                                                              • 208.91.199.225
                                                              order.PDF.exeGet hashmaliciousBrowse
                                                              • 208.91.199.223
                                                              RFQ #7696679TTR6F.exeGet hashmaliciousBrowse
                                                              • 208.91.199.224
                                                              Waybill Doc_027942941.exeGet hashmaliciousBrowse
                                                              • 208.91.199.225
                                                              Confirmaci#U00f3n de pago .exeGet hashmaliciousBrowse
                                                              • 208.91.199.224
                                                              triage_dropped_file.exeGet hashmaliciousBrowse
                                                              • 162.222.226.11

                                                              JA3 Fingerprints

                                                              No context

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2y6ArAJdV8xhjVU.exe.log
                                                              Process:C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1314
                                                              Entropy (8bit):5.350128552078965
                                                              Encrypted:false
                                                              SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                              MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                              SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                              SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                              SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                              Malicious:true
                                                              Reputation:high, very likely benign file
                                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Entropy (8bit):7.7803517832197935
                                                              TrID:
                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                              • Windows Screen Saver (13104/52) 0.07%
                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                              File name:2y6ArAJdV8xhjVU.exe
                                                              File size:1372672
                                                              MD5:b22c23cbda4b549dcdb5cacef0fd0eba
                                                              SHA1:1834e18b188a8f22b98eb2e6da889bf2e3a02288
                                                              SHA256:18419e6e5e1179bd6a0fb280edd651562ed51d1ad93b79b04d3bf7df06212f0c
                                                              SHA512:7e67fd8bdfb166a0cecc6935b539113fd45fa7c8a2d046da00877bdb5b73b1bec90135e8d6b8b4ebbdf3774581b3d3debadade88432a21bcd56a5a99917babed
                                                              SSDEEP:24576:AOrS/d34YdkYy7nCZqe9pSBEe1p81W0v3vYIz6jQmwRGPoN7vdiTbnFM:kvy7nsD9p9eog0nrOQm/PoiM
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t..a..............P.................. ... ....@.. .......................`............@................................

                                                              File Icon

                                                              Icon Hash:00828e8e8686b000

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x55032e
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                              Time Stamp:0x6103C574 [Fri Jul 30 09:25:08 2021 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:v4.0.30319
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                              Entrypoint Preview

                                                              Instruction
                                                              jmp dword ptr [00402000h]

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x1502dc0x4f.text
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1520000x618.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1540000xc.reloc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x20000x14e5940x14e600False0.865463639019data7.78586329539IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                              .rsrc0x1520000x6180x800False0.34130859375data3.48259590206IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .reloc0x1540000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountry
                                                              RT_VERSION0x1520900x388data
                                                              RT_MANIFEST0x1524280x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                              Imports

                                                              DLLImport
                                                              mscoree.dll_CorExeMain

                                                              Version Infos

                                                              DescriptionData
                                                              Translation0x0000 0x04b0
                                                              LegalCopyrightTeamViewer 2021 (C)
                                                              Assembly Version4.2.2.0
                                                              InternalNameNamespaceResolveEventAr.exe
                                                              FileVersion4.3.0.6
                                                              CompanyNameTeamViewer GmBh
                                                              LegalTrademarks
                                                              Comments
                                                              ProductNameGame Picture
                                                              ProductVersion4.3.0.6
                                                              FileDescriptionGame Picture
                                                              OriginalFilenameNamespaceResolveEventAr.exe

                                                              Network Behavior

                                                              Snort IDS Alerts

                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                              08/03/21-19:55:14.810622TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49734587192.168.2.3208.91.199.225

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Aug 3, 2021 19:55:13.551455021 CEST49734587192.168.2.3208.91.199.225
                                                              Aug 3, 2021 19:55:13.700439930 CEST58749734208.91.199.225192.168.2.3
                                                              Aug 3, 2021 19:55:13.700589895 CEST49734587192.168.2.3208.91.199.225
                                                              Aug 3, 2021 19:55:13.875444889 CEST58749734208.91.199.225192.168.2.3
                                                              Aug 3, 2021 19:55:13.876321077 CEST49734587192.168.2.3208.91.199.225
                                                              Aug 3, 2021 19:55:14.025165081 CEST58749734208.91.199.225192.168.2.3
                                                              Aug 3, 2021 19:55:14.025193930 CEST58749734208.91.199.225192.168.2.3
                                                              Aug 3, 2021 19:55:14.027668953 CEST49734587192.168.2.3208.91.199.225
                                                              Aug 3, 2021 19:55:14.177339077 CEST58749734208.91.199.225192.168.2.3
                                                              Aug 3, 2021 19:55:14.178615093 CEST49734587192.168.2.3208.91.199.225
                                                              Aug 3, 2021 19:55:14.329627037 CEST58749734208.91.199.225192.168.2.3
                                                              Aug 3, 2021 19:55:14.330945969 CEST49734587192.168.2.3208.91.199.225
                                                              Aug 3, 2021 19:55:14.480982065 CEST58749734208.91.199.225192.168.2.3
                                                              Aug 3, 2021 19:55:14.481693983 CEST49734587192.168.2.3208.91.199.225
                                                              Aug 3, 2021 19:55:14.659493923 CEST58749734208.91.199.225192.168.2.3
                                                              Aug 3, 2021 19:55:14.660171032 CEST49734587192.168.2.3208.91.199.225
                                                              Aug 3, 2021 19:55:14.809346914 CEST58749734208.91.199.225192.168.2.3
                                                              Aug 3, 2021 19:55:14.810621977 CEST49734587192.168.2.3208.91.199.225
                                                              Aug 3, 2021 19:55:14.810714006 CEST49734587192.168.2.3208.91.199.225
                                                              Aug 3, 2021 19:55:14.811454058 CEST49734587192.168.2.3208.91.199.225
                                                              Aug 3, 2021 19:55:14.811523914 CEST49734587192.168.2.3208.91.199.225
                                                              Aug 3, 2021 19:55:14.964803934 CEST58749734208.91.199.225192.168.2.3
                                                              Aug 3, 2021 19:55:14.964838982 CEST58749734208.91.199.225192.168.2.3
                                                              Aug 3, 2021 19:55:15.060512066 CEST58749734208.91.199.225192.168.2.3
                                                              Aug 3, 2021 19:55:15.112889051 CEST49734587192.168.2.3208.91.199.225

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Aug 3, 2021 19:53:06.339257002 CEST6015253192.168.2.38.8.8.8
                                                              Aug 3, 2021 19:53:06.372020006 CEST53601528.8.8.8192.168.2.3
                                                              Aug 3, 2021 19:53:06.403357983 CEST5754453192.168.2.38.8.8.8
                                                              Aug 3, 2021 19:53:06.441416025 CEST53575448.8.8.8192.168.2.3
                                                              Aug 3, 2021 19:53:07.375016928 CEST5598453192.168.2.38.8.8.8
                                                              Aug 3, 2021 19:53:07.408967972 CEST53559848.8.8.8192.168.2.3
                                                              Aug 3, 2021 19:53:08.364892006 CEST6418553192.168.2.38.8.8.8
                                                              Aug 3, 2021 19:53:08.398411036 CEST53641858.8.8.8192.168.2.3
                                                              Aug 3, 2021 19:53:09.426836967 CEST6511053192.168.2.38.8.8.8
                                                              Aug 3, 2021 19:53:09.451566935 CEST53651108.8.8.8192.168.2.3
                                                              Aug 3, 2021 19:53:10.549098015 CEST5836153192.168.2.38.8.8.8
                                                              Aug 3, 2021 19:53:10.573719978 CEST53583618.8.8.8192.168.2.3
                                                              Aug 3, 2021 19:53:11.628273964 CEST6349253192.168.2.38.8.8.8
                                                              Aug 3, 2021 19:53:11.654366970 CEST53634928.8.8.8192.168.2.3
                                                              Aug 3, 2021 19:53:12.672286034 CEST6083153192.168.2.38.8.8.8
                                                              Aug 3, 2021 19:53:12.697279930 CEST53608318.8.8.8192.168.2.3
                                                              Aug 3, 2021 19:53:14.515618086 CEST6010053192.168.2.38.8.8.8
                                                              Aug 3, 2021 19:53:14.540492058 CEST53601008.8.8.8192.168.2.3
                                                              Aug 3, 2021 19:53:15.721580982 CEST5319553192.168.2.38.8.8.8
                                                              Aug 3, 2021 19:53:15.754484892 CEST53531958.8.8.8192.168.2.3
                                                              Aug 3, 2021 19:53:17.002307892 CEST5014153192.168.2.38.8.8.8
                                                              Aug 3, 2021 19:53:17.037416935 CEST53501418.8.8.8192.168.2.3
                                                              Aug 3, 2021 19:53:18.641479015 CEST5302353192.168.2.38.8.8.8
                                                              Aug 3, 2021 19:53:18.676671028 CEST53530238.8.8.8192.168.2.3
                                                              Aug 3, 2021 19:53:19.695143938 CEST4956353192.168.2.38.8.8.8
                                                              Aug 3, 2021 19:53:19.722529888 CEST53495638.8.8.8192.168.2.3
                                                              Aug 3, 2021 19:53:20.668757915 CEST5135253192.168.2.38.8.8.8
                                                              Aug 3, 2021 19:53:20.696382999 CEST53513528.8.8.8192.168.2.3
                                                              Aug 3, 2021 19:53:21.348058939 CEST5934953192.168.2.38.8.8.8
                                                              Aug 3, 2021 19:53:21.374119997 CEST53593498.8.8.8192.168.2.3
                                                              Aug 3, 2021 19:53:22.879590034 CEST5708453192.168.2.38.8.8.8
                                                              Aug 3, 2021 19:53:22.904525995 CEST53570848.8.8.8192.168.2.3
                                                              Aug 3, 2021 19:53:23.924149036 CEST5882353192.168.2.38.8.8.8
                                                              Aug 3, 2021 19:53:23.959768057 CEST53588238.8.8.8192.168.2.3
                                                              Aug 3, 2021 19:53:24.957262993 CEST5756853192.168.2.38.8.8.8
                                                              Aug 3, 2021 19:53:24.986603022 CEST53575688.8.8.8192.168.2.3
                                                              Aug 3, 2021 19:53:38.853806019 CEST5054053192.168.2.38.8.8.8
                                                              Aug 3, 2021 19:53:38.891515970 CEST53505408.8.8.8192.168.2.3
                                                              Aug 3, 2021 19:53:40.539215088 CEST5436653192.168.2.38.8.8.8
                                                              Aug 3, 2021 19:53:40.588650942 CEST53543668.8.8.8192.168.2.3
                                                              Aug 3, 2021 19:53:59.943921089 CEST5303453192.168.2.38.8.8.8
                                                              Aug 3, 2021 19:53:59.984529018 CEST53530348.8.8.8192.168.2.3
                                                              Aug 3, 2021 19:54:14.449090004 CEST5776253192.168.2.38.8.8.8
                                                              Aug 3, 2021 19:54:14.492769003 CEST53577628.8.8.8192.168.2.3
                                                              Aug 3, 2021 19:54:17.285154104 CEST5543553192.168.2.38.8.8.8
                                                              Aug 3, 2021 19:54:17.328470945 CEST53554358.8.8.8192.168.2.3
                                                              Aug 3, 2021 19:54:49.989931107 CEST5071353192.168.2.38.8.8.8
                                                              Aug 3, 2021 19:54:50.039762974 CEST53507138.8.8.8192.168.2.3
                                                              Aug 3, 2021 19:54:51.924055099 CEST5613253192.168.2.38.8.8.8
                                                              Aug 3, 2021 19:54:51.966262102 CEST53561328.8.8.8192.168.2.3
                                                              Aug 3, 2021 19:55:13.025868893 CEST5898753192.168.2.38.8.8.8
                                                              Aug 3, 2021 19:55:13.263663054 CEST53589878.8.8.8192.168.2.3
                                                              Aug 3, 2021 19:55:13.280260086 CEST5657953192.168.2.38.8.8.8
                                                              Aug 3, 2021 19:55:13.444217920 CEST53565798.8.8.8192.168.2.3

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                              Aug 3, 2021 19:55:13.025868893 CEST192.168.2.38.8.8.80xb753Standard query (0)smtp.agceram.comA (IP address)IN (0x0001)
                                                              Aug 3, 2021 19:55:13.280260086 CEST192.168.2.38.8.8.80xd1d8Standard query (0)smtp.agceram.comA (IP address)IN (0x0001)

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                              Aug 3, 2021 19:55:13.263663054 CEST8.8.8.8192.168.2.30xb753No error (0)smtp.agceram.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                              Aug 3, 2021 19:55:13.263663054 CEST8.8.8.8192.168.2.30xb753No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                              Aug 3, 2021 19:55:13.263663054 CEST8.8.8.8192.168.2.30xb753No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                              Aug 3, 2021 19:55:13.263663054 CEST8.8.8.8192.168.2.30xb753No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                              Aug 3, 2021 19:55:13.263663054 CEST8.8.8.8192.168.2.30xb753No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                              Aug 3, 2021 19:55:13.444217920 CEST8.8.8.8192.168.2.30xd1d8No error (0)smtp.agceram.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                              Aug 3, 2021 19:55:13.444217920 CEST8.8.8.8192.168.2.30xd1d8No error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                              Aug 3, 2021 19:55:13.444217920 CEST8.8.8.8192.168.2.30xd1d8No error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)
                                                              Aug 3, 2021 19:55:13.444217920 CEST8.8.8.8192.168.2.30xd1d8No error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                              Aug 3, 2021 19:55:13.444217920 CEST8.8.8.8192.168.2.30xd1d8No error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)

                                                              SMTP Packets

                                                              TimestampSource PortDest PortSource IPDest IPCommands
                                                              Aug 3, 2021 19:55:13.875444889 CEST58749734208.91.199.225192.168.2.3220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                              Aug 3, 2021 19:55:13.876321077 CEST49734587192.168.2.3208.91.199.225EHLO 445817
                                                              Aug 3, 2021 19:55:14.025193930 CEST58749734208.91.199.225192.168.2.3250-us2.outbound.mailhostbox.com
                                                              250-PIPELINING
                                                              250-SIZE 41648128
                                                              250-VRFY
                                                              250-ETRN
                                                              250-STARTTLS
                                                              250-AUTH PLAIN LOGIN
                                                              250-AUTH=PLAIN LOGIN
                                                              250-ENHANCEDSTATUSCODES
                                                              250-8BITMIME
                                                              250 DSN
                                                              Aug 3, 2021 19:55:14.027668953 CEST49734587192.168.2.3208.91.199.225AUTH login bG9nczJAYWdjZXJhbS5jb20=
                                                              Aug 3, 2021 19:55:14.177339077 CEST58749734208.91.199.225192.168.2.3334 UGFzc3dvcmQ6
                                                              Aug 3, 2021 19:55:14.329627037 CEST58749734208.91.199.225192.168.2.3235 2.7.0 Authentication successful
                                                              Aug 3, 2021 19:55:14.330945969 CEST49734587192.168.2.3208.91.199.225MAIL FROM:<logs2@agceram.com>
                                                              Aug 3, 2021 19:55:14.480982065 CEST58749734208.91.199.225192.168.2.3250 2.1.0 Ok
                                                              Aug 3, 2021 19:55:14.481693983 CEST49734587192.168.2.3208.91.199.225RCPT TO:<logs2@agceram.com>
                                                              Aug 3, 2021 19:55:14.659493923 CEST58749734208.91.199.225192.168.2.3250 2.1.5 Ok
                                                              Aug 3, 2021 19:55:14.660171032 CEST49734587192.168.2.3208.91.199.225DATA
                                                              Aug 3, 2021 19:55:14.809346914 CEST58749734208.91.199.225192.168.2.3354 End data with <CR><LF>.<CR><LF>
                                                              Aug 3, 2021 19:55:14.811523914 CEST49734587192.168.2.3208.91.199.225.
                                                              Aug 3, 2021 19:55:15.060512066 CEST58749734208.91.199.225192.168.2.3250 2.0.0 Ok: queued as 8E4AA7822FF

                                                              Code Manipulations

                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              Analysis Process: 2y6ArAJdV8xhjVU.exe PID: 5552 Parent PID: 5688

                                                              General

                                                              Start time:19:53:11
                                                              Start date:03/08/2021
                                                              Path:C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:'C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exe'
                                                              Imagebase:0x5b0000
                                                              File size:1372672 bytes
                                                              MD5 hash:B22C23CBDA4B549DCDB5CACEF0FD0EBA
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Reputation:low

                                                              Chronological Activities

                                                              Analysis Process: 2y6ArAJdV8xhjVU.exe PID: 5856 Parent PID: 5552

                                                              General

                                                              Start time:19:53:32
                                                              Start date:03/08/2021
                                                              Path:C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Users\user\Desktop\2y6ArAJdV8xhjVU.exe
                                                              Imagebase:0xe30000
                                                              File size:1372672 bytes
                                                              MD5 hash:B22C23CBDA4B549DCDB5CACEF0FD0EBA
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Yara matches:
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.476684551.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.476684551.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.488444728.00000000031E1000.00000004.00000001.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.488444728.00000000031E1000.00000004.00000001.sdmp, Author: Joe Security
                                                              Reputation:low

                                                              Chronological Activities

                                                              Disassembly

                                                              Code Analysis

                                                              Reset < >

                                                                Analysis Process: 2y6ArAJdV8xhjVU.exe PID: 5856 Parent PID: 5552 2y6ArAJdV8xhjVU.exeCOMMON

                                                                Executed Functions

                                                                Function 0157C678, Relevance: 5.6, Strings: 4, Instructions: 586COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.484909409.0000000001570000.00000040.00000001.sdmp, Offset: 01570000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID: \$\$\$\
                                                                • API String ID: 0-3238275731
                                                                • Opcode ID: 535d3e035f29e8e581b0e21828e4c1bc7bda87f20d309301e0f84f9ea87bab3f
                                                                • Instruction ID: 5e1b3a07fc1effad6fa1c054b5de49af2fb9b0eac886222cac09104b9cb3754a
                                                                • Opcode Fuzzy Hash: 535d3e035f29e8e581b0e21828e4c1bc7bda87f20d309301e0f84f9ea87bab3f
                                                                • Instruction Fuzzy Hash: 72227C30B002158FDB64DF78D8457AEB7F2BF88214F1485A9D50AEB785EB34DD858B90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01570112, Relevance: 3.9, Instructions: 3943COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.484909409.0000000001570000.00000040.00000001.sdmp, Offset: 01570000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ae7ae6b9a95cd0b401997b419e836b128d0824a764cc383fc1c9941a2b327ad0
                                                                • Instruction ID: 070c18b9d4ea3732720d2f1e578926c4d12a840655ff090e924df88cd5bb3a68
                                                                • Opcode Fuzzy Hash: ae7ae6b9a95cd0b401997b419e836b128d0824a764cc383fc1c9941a2b327ad0
                                                                • Instruction Fuzzy Hash: 9B834D31D14B1A9FCB11DF68C841AA9F7B1FF95310F15C69AE058AB211EB30AAC5CF91
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01579440, Relevance: 2.1, APIs: 1, Instructions: 608COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.484909409.0000000001570000.00000040.00000001.sdmp, Offset: 01570000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: aaf0b3a7e67f597340418df1a3980415d32a3b90b8f6f6bd9109841df48dd0af
                                                                • Instruction ID: f2e860733c9fa06fdfa0aa02f30d01ccef25cabd8aa1d4ca38994515a93a0346
                                                                • Opcode Fuzzy Hash: aaf0b3a7e67f597340418df1a3980415d32a3b90b8f6f6bd9109841df48dd0af
                                                                • Instruction Fuzzy Hash: 73225A30B002059FDB14EBB5D8556AEBBF2BF84318F108969D50ADB395EB399C45CBA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0157E870, Relevance: 1.9, Instructions: 1892COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.484909409.0000000001570000.00000040.00000001.sdmp, Offset: 01570000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b91dc879a754194ee050490d822239567aca0e43dcc497909e32c473503f267a
                                                                • Instruction ID: 92e1b4c8c6955c29b09cce520d954d9a5741553a6fc56fadbf76e8d934004456
                                                                • Opcode Fuzzy Hash: b91dc879a754194ee050490d822239567aca0e43dcc497909e32c473503f267a
                                                                • Instruction Fuzzy Hash: D2D2BE30B042048FEB25DB68D85676D7BA6FF85304F2484AAE526DF392DB74DC42CB61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01576038, Relevance: 1.1, Instructions: 1084COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.484909409.0000000001570000.00000040.00000001.sdmp, Offset: 01570000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5d9ff3364ed1acb8ea679b4ad4bdb769e9ea07d12a3b660bbe3d4bf907e2f9fe
                                                                • Instruction ID: fd040b5fe9d08726fdb774052af770dea4e3bb5500e13c3604bbe20bb3cab38c
                                                                • Opcode Fuzzy Hash: 5d9ff3364ed1acb8ea679b4ad4bdb769e9ea07d12a3b660bbe3d4bf907e2f9fe
                                                                • Instruction Fuzzy Hash: 0E829930B006058FEB15DB68D895BAE7BE6BF89300F158469E506DF3A1DB74DC42CBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0157EF40, Relevance: .6, Instructions: 588COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.484909409.0000000001570000.00000040.00000001.sdmp, Offset: 01570000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 60c7c87d06ca954c41a77199b2e050668df49686012cbba91c30a187090b0579
                                                                • Instruction ID: 15f5e81a816cc37037a8d4468885056e9f9865b030c5d406305dc4c7187afad7
                                                                • Opcode Fuzzy Hash: 60c7c87d06ca954c41a77199b2e050668df49686012cbba91c30a187090b0579
                                                                • Instruction Fuzzy Hash: 56327170E002488BEB24DBA8C4557ADBBA2BF85304F24C56ED419DF396DB74DC46CB61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0161B998, Relevance: .4, Instructions: 396COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.485120325.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 878cb48f331f2edaea2c8e1dec5f12ac3da6a960d01d4717859d6d078613066b
                                                                • Instruction ID: cfc32e3c05b3f025c8d21cbcf8280509d30efabe66420e5846f6604256a0cb83
                                                                • Opcode Fuzzy Hash: 878cb48f331f2edaea2c8e1dec5f12ac3da6a960d01d4717859d6d078613066b
                                                                • Instruction Fuzzy Hash: 33F15B34A00209CFDB14DFA9CD44BADBBF2BF84304F198569E509AF369DB70A945CB51
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 019146A0, Relevance: .3, Instructions: 315COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.487160823.0000000001910000.00000040.00000001.sdmp, Offset: 01910000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 72b84b6520c5dfc4fe49e8089946c3369cd50b9e3399bf29da468b0fef03d3ae
                                                                • Instruction ID: f6c1e2980213d6b90de6b329206b5fd1b6d3d07d77aac13221f2b7ef1cd76bd3
                                                                • Opcode Fuzzy Hash: 72b84b6520c5dfc4fe49e8089946c3369cd50b9e3399bf29da468b0fef03d3ae
                                                                • Instruction Fuzzy Hash: B012D6B04227468BD311CF6DE94A6957FA1B785728B50C308F2611FAD1DBB9118AEFCC
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 019145F0, Relevance: .3, Instructions: 277COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.487160823.0000000001910000.00000040.00000001.sdmp, Offset: 01910000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a08d1a2a23960d66763c1e5c93e9addf2928b6b392d0052a91ff67611523c4cf
                                                                • Instruction ID: 124fee19af0b7bd0ccf604884269819f7c3e09b747dabcc75f3b9e2e1fa1c97b
                                                                • Opcode Fuzzy Hash: a08d1a2a23960d66763c1e5c93e9addf2928b6b392d0052a91ff67611523c4cf
                                                                • Instruction Fuzzy Hash: D0D15EB08223458FD711CF68E84A6857FB1FB85328F518219F1616F6D1DBB9108AEFC8
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 019135C4, Relevance: .2, Instructions: 233COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.487160823.0000000001910000.00000040.00000001.sdmp, Offset: 01910000, based on PE: false
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID:
                                                                • API String ID: 4139908857-0
                                                                • Opcode ID: 4d04dcc291988e5c40c364c11db75df50eabf8f656c44c121b5988a45cef4026
                                                                • Instruction ID: 394e82409c96808b2c844cc2aa923836b179f4c80589a4e0e60df2e0ac27dc6e
                                                                • Opcode Fuzzy Hash: 4d04dcc291988e5c40c364c11db75df50eabf8f656c44c121b5988a45cef4026
                                                                • Instruction Fuzzy Hash: 4091B135E003198FCB04DFA4D8549DDBBBAFF8A304F168615E419AF364EB30A985DB90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 019145B0, Relevance: .2, Instructions: 228COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.487160823.0000000001910000.00000040.00000001.sdmp, Offset: 01910000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f8476e55bbb5ef286410687c99a0dc2e0ce9bce6d7490dac92e27c92f26884fe
                                                                • Instruction ID: 0c7d5a40afd42a2ab9a1c31272a648cb93b91ed902c647dccb152a341bec7e37
                                                                • Opcode Fuzzy Hash: f8476e55bbb5ef286410687c99a0dc2e0ce9bce6d7490dac92e27c92f26884fe
                                                                • Instruction Fuzzy Hash: 0EC11CB08227458BD711CF6DE84A6897FB1BB85324F508309F1616F6D1DBB9108AEFC8
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01914630, Relevance: .2, Instructions: 221COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.487160823.0000000001910000.00000040.00000001.sdmp, Offset: 01910000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9d42bf0cc1f64ba01ba6ac51856ac43a77bb6ba372ffef77f713237b99c9e5d8
                                                                • Instruction ID: 85350a53c6f9657a9f39cb05bcd109579d7836cdb4df819b6154327a414e20d1
                                                                • Opcode Fuzzy Hash: 9d42bf0cc1f64ba01ba6ac51856ac43a77bb6ba372ffef77f713237b99c9e5d8
                                                                • Instruction Fuzzy Hash: 1CC11DB08227458BD711CF6DE84A6997FB1BB85324F50C318F1612B6D1DBB9118AEFC8
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01914650, Relevance: .2, Instructions: 221COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.487160823.0000000001910000.00000040.00000001.sdmp, Offset: 01910000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d484e4e925535bb408ee1d2bc2a5125717932db2d0bbaa91dbdc7306f45787f1
                                                                • Instruction ID: 43e78bb8da847f9767eaea3ebbf9aeae0f610396a713c6c6345264d77967071b
                                                                • Opcode Fuzzy Hash: d484e4e925535bb408ee1d2bc2a5125717932db2d0bbaa91dbdc7306f45787f1
                                                                • Instruction Fuzzy Hash: 04C12DB04227458BD711CF6DE84A6897FB1BB85728B50C308F1612F6D1DBB9108AEFC8
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01913CF6, Relevance: 1.8, APIs: 1, Instructions: 297COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.487160823.0000000001910000.00000040.00000001.sdmp, Offset: 01910000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 32fe60f1235da98f10ed0a2c6ea9c869d67334605681aa6f712507f70922ae07
                                                                • Instruction ID: 4cd00f954e8aea8e9060f12d681bb2cd692f12be4a53dc31016c0d072394a7da
                                                                • Opcode Fuzzy Hash: 32fe60f1235da98f10ed0a2c6ea9c869d67334605681aa6f712507f70922ae07
                                                                • Instruction Fuzzy Hash: 71B1AD74A007098FDB14EF79C48066EBBF6FF88214B508A2DD50ACB755EF34E9458B94
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0157B708, Relevance: 1.7, APIs: 1, Instructions: 168libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.484909409.0000000001570000.00000040.00000001.sdmp, Offset: 01570000, based on PE: false
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 0e7f9541f36247aab85fe14f1c1e2449284287cf5725555af0386eaca16484b8
                                                                • Instruction ID: 5bb44bbebec1b2088b102ed66d485676d87e151be1107c6ccd7c4f04aa9ea126
                                                                • Opcode Fuzzy Hash: 0e7f9541f36247aab85fe14f1c1e2449284287cf5725555af0386eaca16484b8
                                                                • Instruction Fuzzy Hash: AF51D130A003059FCB14EBB4D849AAEBBF6BF84304F148969E516DF755EB34D805CB60
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0157B768, Relevance: 1.6, APIs: 1, Instructions: 148libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.484909409.0000000001570000.00000040.00000001.sdmp, Offset: 01570000, based on PE: false
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: d4339e610bb22905c88cd5a1727e30a60528c4d86329db5b2d6a0cd570f2072c
                                                                • Instruction ID: dbaafbaa9e1ee0528f44550b8777dc19d4167c4437d4656f9d97746d6e30d35c
                                                                • Opcode Fuzzy Hash: d4339e610bb22905c88cd5a1727e30a60528c4d86329db5b2d6a0cd570f2072c
                                                                • Instruction Fuzzy Hash: B851A171A0030A9FCB14FBB4DC55AAEB7A6BF84204F14896DE5129F755EF30E804CBA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01913574, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 019151A2
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.487160823.0000000001910000.00000040.00000001.sdmp, Offset: 01910000, based on PE: false
                                                                Similarity
                                                                • API ID: CreateWindow
                                                                • String ID:
                                                                • API String ID: 716092398-0
                                                                • Opcode ID: d2925b44013ec8ce65de164001b290f69e5b33849842fed336a52172d4ea9737
                                                                • Instruction ID: f943d84fb489c41b16eea9633bbc192b580286cde0e4366c9608fe9d3cf1792a
                                                                • Opcode Fuzzy Hash: d2925b44013ec8ce65de164001b290f69e5b33849842fed336a52172d4ea9737
                                                                • Instruction Fuzzy Hash: 8A51E2B1D0030C9FEB15CF99C884ADEBBB5FF88314F65852AE819AB214D7749885CF90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0191779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 01917F01
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.487160823.0000000001910000.00000040.00000001.sdmp, Offset: 01910000, based on PE: false
                                                                Similarity
                                                                • API ID: CallProcWindow
                                                                • String ID:
                                                                • API String ID: 2714655100-0
                                                                • Opcode ID: 108bd08e02307bb65994e0b0652fd7c33bd804c5db2e1276a1d298f48140f567
                                                                • Instruction ID: 699d430af5470aacf813cc09f246165879c1af978f192afa829b6bbb7155bb43
                                                                • Opcode Fuzzy Hash: 108bd08e02307bb65994e0b0652fd7c33bd804c5db2e1276a1d298f48140f567
                                                                • Instruction Fuzzy Hash: 36412CB4900309CFDB14CF99C449AABBBF5FF88314F148859E519A7325D774A841CFA0
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01916B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01916BEF
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.487160823.0000000001910000.00000040.00000001.sdmp, Offset: 01910000, based on PE: false
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: 9e410caccb00464282d884d3432fd6a6f2f483beb99c7ed37dc3a7df2b75a927
                                                                • Instruction ID: 1c8516523c33bd835b1d16ab4b60e373c0fc011373fa4d19cb51f521900e0c59
                                                                • Opcode Fuzzy Hash: 9e410caccb00464282d884d3432fd6a6f2f483beb99c7ed37dc3a7df2b75a927
                                                                • Instruction Fuzzy Hash: C921C2B5D002489FDB10DFAAD984ADEBBF8FB48324F14841AE918A7310D374A944CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01616AC4, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,00000000,?,01617D19,00000800), ref: 01617DAA
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.485120325.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                                Similarity
                                                                • API ID: LibraryLoad
                                                                • String ID:
                                                                • API String ID: 1029625771-0
                                                                • Opcode ID: 91006eb618f2ab2cce55d63a68eb104739b8ae5780b8ca020984333e41236335
                                                                • Instruction ID: e5097c7aaa00f1c7e3ac0625c4940ddb265407e0bb4496e324e6d0e0c5cfb52c
                                                                • Opcode Fuzzy Hash: 91006eb618f2ab2cce55d63a68eb104739b8ae5780b8ca020984333e41236335
                                                                • Instruction Fuzzy Hash: 721106B6D002088FDB10DF9AD844BEEBBF4EB48320F44842AE515A7700C375A545CFA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01617D39, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,?,00000000,?,01617D19,00000800), ref: 01617DAA
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.485120325.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                                Similarity
                                                                • API ID: LibraryLoad
                                                                • String ID:
                                                                • API String ID: 1029625771-0
                                                                • Opcode ID: 34092bfbf38839c89ca01e6e5809b98308fc499dc66449583815115d4c0c2851
                                                                • Instruction ID: 19c7e36f6d34f34c6d21da2924c6731e7a880d2122e43160362e398b7763bc0a
                                                                • Opcode Fuzzy Hash: 34092bfbf38839c89ca01e6e5809b98308fc499dc66449583815115d4c0c2851
                                                                • Instruction Fuzzy Hash: C22117B2C002499FDB10DFAAD844AEEFBF4AB88324F14851EE519A7700C375A545CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0191BDF8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RtlEncodePointer.NTDLL(00000000), ref: 0191BE72
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.487160823.0000000001910000.00000040.00000001.sdmp, Offset: 01910000, based on PE: false
                                                                Similarity
                                                                • API ID: EncodePointer
                                                                • String ID:
                                                                • API String ID: 2118026453-0
                                                                • Opcode ID: f7982ca783440f8682481a66c2bbd0103e5a84a09f2a78e556eb7045161c7c00
                                                                • Instruction ID: 4028f72d60b4b0e59ef6b71191473770d9af77d951aa9cbecc48cc5b386d3e8b
                                                                • Opcode Fuzzy Hash: f7982ca783440f8682481a66c2bbd0103e5a84a09f2a78e556eb7045161c7c00
                                                                • Instruction Fuzzy Hash: D8119DB19003498FDB10EFAAD5487AEBFF9FB44324F208429D509A7704CB396444CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01579A10, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.484909409.0000000001570000.00000040.00000001.sdmp, Offset: 01570000, based on PE: false
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: fd75c0328db51ea46bcb60e756f5025f3d065ad7c83f2b7d8cc04f40f4c87977
                                                                • Instruction ID: 8c7ea16d92c10ce870f508d9078fd5e06009585908dc78390b5e3bbced3d7f98
                                                                • Opcode Fuzzy Hash: fd75c0328db51ea46bcb60e756f5025f3d065ad7c83f2b7d8cc04f40f4c87977
                                                                • Instruction Fuzzy Hash: 37113070E11218DFDB14EFA5D845A9DBBF6FF84314F108428D501AB350DB759845CF94
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01913300, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 01914116
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.487160823.0000000001910000.00000040.00000001.sdmp, Offset: 01910000, based on PE: false
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID:
                                                                • API String ID: 4139908857-0
                                                                • Opcode ID: 673291b3b3660c768135747075777a6de736e3c2d9cde7b7dc2da71d84b4127c
                                                                • Instruction ID: 881b57eed1c5eab39fd5343de8bf77e804efd4e9b3f37d32a40b2f01758e3bee
                                                                • Opcode Fuzzy Hash: 673291b3b3660c768135747075777a6de736e3c2d9cde7b7dc2da71d84b4127c
                                                                • Instruction Fuzzy Hash: 131120B1D002498BDB20DFAAC444BDEFBF8EB88324F10842AD919A7600D374A545CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 019140AB, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 01914116
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.487160823.0000000001910000.00000040.00000001.sdmp, Offset: 01910000, based on PE: false
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID:
                                                                • API String ID: 4139908857-0
                                                                • Opcode ID: 71272efc3fdbc0b6ebaf3538dc23f7619e74e91438defacd8757de62aab5fa82
                                                                • Instruction ID: 232841dd0db4691924299e1484e55f2c1174a9b9368c9df43a1282ad7b6a0cac
                                                                • Opcode Fuzzy Hash: 71272efc3fdbc0b6ebaf3538dc23f7619e74e91438defacd8757de62aab5fa82
                                                                • Instruction Fuzzy Hash: DD11F0B2D002498BDB10DFAAC844ADEFBF8EB88324F15842AD519A7600D375A545CFA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0161B778, Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • OleInitialize.OLE32(00000000), ref: 0161B7D5
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.485120325.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                                Similarity
                                                                • API ID: Initialize
                                                                • String ID:
                                                                • API String ID: 2538663250-0
                                                                • Opcode ID: 0ee347e0eada1fca0e4b20016a0bc9342ad579a1b97d4f7b89ab25112ae09ead
                                                                • Instruction ID: a97df8f5a2ab27d1c67c7811ba01ff251751ba2e475758e232b0d1887b076510
                                                                • Opcode Fuzzy Hash: 0ee347e0eada1fca0e4b20016a0bc9342ad579a1b97d4f7b89ab25112ae09ead
                                                                • Instruction Fuzzy Hash: 6B1145B58002488FDB20DF99D885BEEFFF8EB48324F188519E618A7700C374A944CFA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0161A8C0, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • OleInitialize.OLE32(00000000), ref: 0161B7D5
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.485120325.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                                Similarity
                                                                • API ID: Initialize
                                                                • String ID:
                                                                • API String ID: 2538663250-0
                                                                • Opcode ID: e09fd66eb53a3b34e40fed8028614e9dc5fb21d87a5fd2add21d660057859bc1
                                                                • Instruction ID: 5d0ec789ef884f84e2276c8bf987831f0e34df6841cf56e68dbd4519b2722041
                                                                • Opcode Fuzzy Hash: e09fd66eb53a3b34e40fed8028614e9dc5fb21d87a5fd2add21d660057859bc1
                                                                • Instruction Fuzzy Hash: C81115B19006488FCB20DF9AD888BEEBBF4EB48324F188459E519A7700D374A944CFA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01914080, Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 01914116
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.487160823.0000000001910000.00000040.00000001.sdmp, Offset: 01910000, based on PE: false
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID:
                                                                • API String ID: 4139908857-0
                                                                • Opcode ID: 8e80e6297750384f5f1520a926bb81db0fc43f62f1395c0e9919fb01e13bd8fd
                                                                • Instruction ID: eb8b1dd0d0c4318b1aa38804f46e1472e43da0414d371bde768ba17ce9eae6eb
                                                                • Opcode Fuzzy Hash: 8e80e6297750384f5f1520a926bb81db0fc43f62f1395c0e9919fb01e13bd8fd
                                                                • Instruction Fuzzy Hash: 980128B19006488FDB14CF9AD444389FBF4EF9C319F2481A9D40CA7215D3359586CFA5
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0164D450, Relevance: .1, Instructions: 75COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.485317215.000000000164D000.00000040.00000001.sdmp, Offset: 0164D000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 914e46e71b7643d8625bacd3f02e01c4aaea6c0710bf1d6b331b5cd8b72d6f2d
                                                                • Instruction ID: 5723774b3b87d40e13faecb4e7595d06cbd7ec1139e479b0f593a737f9c22fe4
                                                                • Opcode Fuzzy Hash: 914e46e71b7643d8625bacd3f02e01c4aaea6c0710bf1d6b331b5cd8b72d6f2d
                                                                • Instruction Fuzzy Hash: B3210071904200EFDB15DF54D8C0B66BB65FB98228F208568E9050A206C736E806CAA1
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0165D01C, Relevance: .1, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.485399685.000000000165D000.00000040.00000001.sdmp, Offset: 0165D000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: df84c9511b9dfeec7e24ccc5bbf4db82f0ea6bbea21e7eaab8712b8fcb1ceec2
                                                                • Instruction ID: f6c3848ab68871903399d307a6e5bc10973c3213b602b634f3a7879c80f63fe3
                                                                • Opcode Fuzzy Hash: df84c9511b9dfeec7e24ccc5bbf4db82f0ea6bbea21e7eaab8712b8fcb1ceec2
                                                                • Instruction Fuzzy Hash: E9210071504200DFDB51DF64D8C0B26BB65FB84264F20C969EC0A4B386C33AD847CA61
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0165D005, Relevance: .1, Instructions: 63COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.485399685.000000000165D000.00000040.00000001.sdmp, Offset: 0165D000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ef900f0c9eae67d77553a5017c257519c61413c98b4b0848c5ab40f0c721b75d
                                                                • Instruction ID: 47d3dd8fd19aa8d406051334b2038af6a57383450c529d11a6ac56c47ff62046
                                                                • Opcode Fuzzy Hash: ef900f0c9eae67d77553a5017c257519c61413c98b4b0848c5ab40f0c721b75d
                                                                • Instruction Fuzzy Hash: 4A218E755083809FDB02CF24D994B15BF71EB46214F28C5EAD8498B7A7C33A984ACB62
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 0164D44B, Relevance: .1, Instructions: 56COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.485317215.000000000164D000.00000040.00000001.sdmp, Offset: 0164D000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 271571bf63b683bd8fd3ad9a959b9fcae56c0e012991da2111f19472818dd285
                                                                • Instruction ID: e4f8da99e056e1a9f78005e8f1af151ed63c0b896627904e544a19cb76968eef
                                                                • Opcode Fuzzy Hash: 271571bf63b683bd8fd3ad9a959b9fcae56c0e012991da2111f19472818dd285
                                                                • Instruction Fuzzy Hash: 0211AF76804280CFDF16CF54D9C4B56BF71FB94328F2486A9D8050B617C336D45ACBA2
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Non-executed Functions

                                                                Function 01577210, Relevance: 1.8, Instructions: 1805COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.484909409.0000000001570000.00000040.00000001.sdmp, Offset: 01570000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5f771936c1d71966b6caa35e98b079f52c456a5fc4c21bce4b819fda189e4ca5
                                                                • Instruction ID: f93455c024e7569fe285d33d5acde1f62b97bfcb574613e432b9b4059096d1c2
                                                                • Opcode Fuzzy Hash: 5f771936c1d71966b6caa35e98b079f52c456a5fc4c21bce4b819fda189e4ca5
                                                                • Instruction Fuzzy Hash: A0131D70D1061A8FCB14EF68C894A9DF7B1FF99300F15C69AD559AB221EB30AAC5CF41
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01579F88, Relevance: .7, Instructions: 671COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.484909409.0000000001570000.00000040.00000001.sdmp, Offset: 01570000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c61cef70e95b0de837dbe2e2f581c9c699e073556b3c1777caf02ab8181e25eb
                                                                • Instruction ID: 19e01f1c12a2d372babdbdad0324f54ea95aa07fb8694a9e22b8d05ed3fae83c
                                                                • Opcode Fuzzy Hash: c61cef70e95b0de837dbe2e2f581c9c699e073556b3c1777caf02ab8181e25eb
                                                                • Instruction Fuzzy Hash: BB428C30A003098FDB14EFB9D8546AEBBB2BF85304F288569D5069F795EB35DC46CB90
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%

                                                                Function 01616960, Relevance: .3, Instructions: 265COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.485120325.0000000001610000.00000040.00000001.sdmp, Offset: 01610000, based on PE: false
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e80a89394cb43e82133fa0e22e6b24457228a9bd3696a4f6bf017ed0e30a5303
                                                                • Instruction ID: 95e4caceb23dd74a465788e9b23f23ab0f7f2b660462f561126510dac8b0b39b
                                                                • Opcode Fuzzy Hash: e80a89394cb43e82133fa0e22e6b24457228a9bd3696a4f6bf017ed0e30a5303
                                                                • Instruction Fuzzy Hash: 89A17E36E1021A8FCF15DFB9C8445DDBBB3FF84300B19856AE905BB225DB71A915CB40
                                                                Uniqueness

                                                                Uniqueness Score: -1.00%