Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report qOthJCpJ8E

Overview

General Information

Sample Name:qOthJCpJ8E (renamed file extension from none to exe)
Analysis ID:491500
MD5:b0a10bd27d48fea4e569797829057892
SHA1:5909c3383e27a1c5e7edcadd5319b31d2813df12
SHA256:4e63cadd6aa91bc65755bd2b4035a3451cbc4854ed2817ac08941919f892f7e7
Tags:32AgentTeslaexetrojan
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for domain / URL
Installs a global keyboard hook
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
.NET source code contains very large strings
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • qOthJCpJ8E.exe (PID: 6764 cmdline: 'C:\Users\user\Desktop\qOthJCpJ8E.exe' MD5: B0A10BD27D48FEA4E569797829057892)
    • qOthJCpJ8E.exe (PID: 6916 cmdline: C:\Users\user\Desktop\qOthJCpJ8E.exe MD5: B0A10BD27D48FEA4E569797829057892)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "admin@airseaalliance.com", "Password": "CIRcumFerted221", "Host": "mail.airseaalliance.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.607696805.0000000002B81000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000002.607696805.0000000002B81000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000004.00000002.601109843.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000004.00000002.601109843.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000002.00000002.354431528.0000000002911000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.qOthJCpJ8E.exe.39e8810.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              2.2.qOthJCpJ8E.exe.39e8810.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                4.2.qOthJCpJ8E.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  4.2.qOthJCpJ8E.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    2.2.qOthJCpJ8E.exe.3b18b90.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 4 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 2.2.qOthJCpJ8E.exe.39e8810.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "admin@airseaalliance.com", "Password": "CIRcumFerted221", "Host": "mail.airseaalliance.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: qOthJCpJ8E.exeVirustotal: Detection: 24%Perma Link
                      Source: qOthJCpJ8E.exeReversingLabs: Detection: 22%
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: airseaalliance.comVirustotal: Detection: 11%Perma Link
                      Source: 4.2.qOthJCpJ8E.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: qOthJCpJ8E.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: qOthJCpJ8E.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49804 -> 135.181.211.109:587
                      Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                      Source: Joe Sandbox ViewIP Address: 135.181.211.109 135.181.211.109
                      Source: global trafficTCP traffic: 192.168.2.6:49804 -> 135.181.211.109:587
                      Source: global trafficTCP traffic: 192.168.2.6:49804 -> 135.181.211.109:587
                      Source: qOthJCpJ8E.exe, 00000004.00000002.607696805.0000000002B81000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: qOthJCpJ8E.exe, 00000004.00000002.607696805.0000000002B81000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: qOthJCpJ8E.exe, 00000004.00000002.607696805.0000000002B81000.00000004.00000001.sdmpString found in binary or memory: http://NKPyoe.com
                      Source: qOthJCpJ8E.exe, 00000004.00000002.609099464.0000000002EEE000.00000004.00000001.sdmpString found in binary or memory: http://airseaalliance.com
                      Source: qOthJCpJ8E.exe, 00000004.00000002.609055198.0000000002EE4000.00000004.00000001.sdmp, qOthJCpJ8E.exe, 00000004.00000002.607696805.0000000002B81000.00000004.00000001.sdmp, qOthJCpJ8E.exe, 00000004.00000002.609182262.0000000002EFC000.00000004.00000001.sdmp, qOthJCpJ8E.exe, 00000004.00000002.609099464.0000000002EEE000.00000004.00000001.sdmpString found in binary or memory: http://b1mW8jjfSsi.com
                      Source: qOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: qOthJCpJ8E.exe, 00000004.00000002.609099464.0000000002EEE000.00000004.00000001.sdmpString found in binary or memory: http://mail.airseaalliance.com
                      Source: qOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: qOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: qOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: qOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: qOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: qOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: qOthJCpJ8E.exe, 00000002.00000003.344939105.0000000000D6D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-joAy
                      Source: qOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: qOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: qOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: qOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: qOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: qOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: qOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: qOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: qOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: qOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: qOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: qOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: qOthJCpJ8E.exeString found in binary or memory: http://www.rspb.org.uk/wildlife/birdguide/name/
                      Source: qOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: qOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: qOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: qOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: qOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: qOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: qOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: qOthJCpJ8E.exe, 00000004.00000002.607696805.0000000002B81000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: qOthJCpJ8E.exe, 00000004.00000002.607696805.0000000002B81000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: qOthJCpJ8E.exe, 00000002.00000002.355601283.0000000003911000.00000004.00000001.sdmp, qOthJCpJ8E.exe, 00000004.00000002.601109843.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: qOthJCpJ8E.exe, 00000004.00000002.607696805.0000000002B81000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: mail.airseaalliance.com

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\qOthJCpJ8E.exeJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 4.2.qOthJCpJ8E.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bFCF4D28Cu002d7E2Bu002d4479u002d87E8u002dBA9F53AFCDF6u007d/A57FD5A0u002d5234u002d4B4Cu002dADC4u002dB1B12C4B9358.csLarge array initialization: .cctor: array initializer size 11965
                      .NET source code contains very large stringsShow sources
                      Source: qOthJCpJ8E.exe, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
                      Source: 2.0.qOthJCpJ8E.exe.370000.0.unpack, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
                      Source: 2.2.qOthJCpJ8E.exe.370000.0.unpack, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
                      Source: 4.2.qOthJCpJ8E.exe.770000.1.unpack, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
                      Source: 4.0.qOthJCpJ8E.exe.770000.0.unpack, Darwin.WindowsForm/SearchResults.csLong String: Length: 34816
                      Source: qOthJCpJ8E.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeCode function: 2_2_00D4C1942_2_00D4C194
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeCode function: 2_2_00D4E5F02_2_00D4E5F0
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeCode function: 2_2_00D4E5E02_2_00D4E5E0
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeCode function: 4_2_00C5C1604_2_00C5C160
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeCode function: 4_2_00C52D004_2_00C52D00
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeCode function: 4_2_00C58D304_2_00C58D30
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeCode function: 4_2_00C516F04_2_00C516F0
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeCode function: 4_2_00C556604_2_00C55660
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeCode function: 4_2_00C5C1504_2_00C5C150
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeCode function: 4_2_00C5B1084_2_00C5B108
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeCode function: 4_2_00C6E2E04_2_00C6E2E0
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeCode function: 4_2_00C654F04_2_00C654F0
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeCode function: 4_2_00C610A04_2_00C610A0
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeCode function: 4_2_00C600404_2_00C60040
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeCode function: 4_2_00C64C504_2_00C64C50
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeCode function: 4_2_00C6F03F4_2_00C6F03F
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeCode function: 4_2_00C6B3484_2_00C6B348
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeCode function: 4_2_00C6C4704_2_00C6C470
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeCode function: 4_2_00C639E04_2_00C639E0
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeCode function: 4_2_00F646A04_2_00F646A0
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeCode function: 4_2_00F645B04_2_00F645B0
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeCode function: 4_2_00F646904_2_00F64690
                      Source: qOthJCpJ8E.exe, 00000002.00000002.354759570.0000000002A41000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameColladaLoader.dll4 vs qOthJCpJ8E.exe
                      Source: qOthJCpJ8E.exe, 00000002.00000002.354431528.0000000002911000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamegEneauOKEZEdTpbQwHqNSSmzLDmq.exe4 vs qOthJCpJ8E.exe
                      Source: qOthJCpJ8E.exe, 00000002.00000002.358534563.0000000006FC0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs qOthJCpJ8E.exe
                      Source: qOthJCpJ8E.exe, 00000002.00000002.353246719.0000000000440000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameContractArgumentValidatorAttribu.exe4 vs qOthJCpJ8E.exe
                      Source: qOthJCpJ8E.exe, 00000004.00000002.601109843.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamegEneauOKEZEdTpbQwHqNSSmzLDmq.exe4 vs qOthJCpJ8E.exe
                      Source: qOthJCpJ8E.exe, 00000004.00000000.352344430.0000000000840000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameContractArgumentValidatorAttribu.exe4 vs qOthJCpJ8E.exe
                      Source: qOthJCpJ8E.exe, 00000004.00000002.601596246.00000000009D8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs qOthJCpJ8E.exe
                      Source: qOthJCpJ8E.exeBinary or memory string: OriginalFilenameContractArgumentValidatorAttribu.exe4 vs qOthJCpJ8E.exe
                      Source: qOthJCpJ8E.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: qOthJCpJ8E.exeVirustotal: Detection: 24%
                      Source: qOthJCpJ8E.exeReversingLabs: Detection: 22%
                      Source: qOthJCpJ8E.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\qOthJCpJ8E.exe 'C:\Users\user\Desktop\qOthJCpJ8E.exe'
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess created: C:\Users\user\Desktop\qOthJCpJ8E.exe C:\Users\user\Desktop\qOthJCpJ8E.exe
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess created: C:\Users\user\Desktop\qOthJCpJ8E.exe C:\Users\user\Desktop\qOthJCpJ8E.exeJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\qOthJCpJ8E.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/1
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: 4.2.qOthJCpJ8E.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.2.qOthJCpJ8E.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: qOthJCpJ8E.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: qOthJCpJ8E.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: qOthJCpJ8E.exe, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 2.0.qOthJCpJ8E.exe.370000.0.unpack, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 2.2.qOthJCpJ8E.exe.370000.0.unpack, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.2.qOthJCpJ8E.exe.770000.1.unpack, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.qOthJCpJ8E.exe.770000.0.unpack, Darwin.WindowsForm/MainForm.cs.Net Code: DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeCode function: 4_2_00C58B65 push esp; iretd 4_2_00C58B66
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeCode function: 4_2_00C6BD52 push eax; ret 4_2_00C6BD59
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.07581849985
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 2.2.qOthJCpJ8E.exe.296859c.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.354431528.0000000002911000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.354577262.000000000298D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: qOthJCpJ8E.exe PID: 6764, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: qOthJCpJ8E.exe, 00000002.00000002.354577262.000000000298D000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: qOthJCpJ8E.exe, 00000002.00000002.354577262.000000000298D000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exe TID: 6768Thread sleep time: -35515s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exe TID: 6816Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exe TID: 7072Thread sleep time: -23058430092136925s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exe TID: 7076Thread sleep count: 1879 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exe TID: 7076Thread sleep count: 7961 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeWindow / User API: threadDelayed 1879Jump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeWindow / User API: threadDelayed 7961Jump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeThread delayed: delay time: 35515Jump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: qOthJCpJ8E.exe, 00000002.00000002.354577262.000000000298D000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: qOthJCpJ8E.exe, 00000002.00000002.354577262.000000000298D000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: qOthJCpJ8E.exe, 00000002.00000002.354577262.000000000298D000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: qOthJCpJ8E.exe, 00000002.00000002.354577262.000000000298D000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeCode function: 4_2_00C51FA8 LdrInitializeThunk,4_2_00C51FA8
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeMemory written: C:\Users\user\Desktop\qOthJCpJ8E.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeProcess created: C:\Users\user\Desktop\qOthJCpJ8E.exe C:\Users\user\Desktop\qOthJCpJ8E.exeJump to behavior
                      Source: qOthJCpJ8E.exe, 00000004.00000002.607570784.0000000001670000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: qOthJCpJ8E.exe, 00000004.00000002.607570784.0000000001670000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: qOthJCpJ8E.exe, 00000004.00000002.607570784.0000000001670000.00000002.00020000.sdmpBinary or memory string: &Program Manager
                      Source: qOthJCpJ8E.exe, 00000004.00000002.607570784.0000000001670000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Users\user\Desktop\qOthJCpJ8E.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Entity\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Entity.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Users\user\Desktop\qOthJCpJ8E.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 2.2.qOthJCpJ8E.exe.39e8810.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.qOthJCpJ8E.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.qOthJCpJ8E.exe.3b18b90.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.qOthJCpJ8E.exe.39e8810.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.601109843.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.355601283.0000000003911000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.607696805.0000000002B81000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: qOthJCpJ8E.exe PID: 6764, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: qOthJCpJ8E.exe PID: 6916, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\qOthJCpJ8E.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: Yara matchFile source: 00000004.00000002.607696805.0000000002B81000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: qOthJCpJ8E.exe PID: 6916, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 2.2.qOthJCpJ8E.exe.39e8810.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.qOthJCpJ8E.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.qOthJCpJ8E.exe.3b18b90.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.qOthJCpJ8E.exe.39e8810.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.601109843.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.355601283.0000000003911000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.607696805.0000000002B81000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: qOthJCpJ8E.exe PID: 6764, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: qOthJCpJ8E.exe PID: 6916, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1Input Capture11Security Software Discovery211Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Credentials in Registry1Process Discovery2SMB/Windows Admin SharesArchive Collected Data11Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelData from Local System2Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      qOthJCpJ8E.exe25%VirustotalBrowse
                      qOthJCpJ8E.exe22%ReversingLabsByteCode-MSIL.Trojan.Taskun

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      4.2.qOthJCpJ8E.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      airseaalliance.com11%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.rspb.org.uk/wildlife/birdguide/name/0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://airseaalliance.com0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://b1mW8jjfSsi.com0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://NKPyoe.com0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://mail.airseaalliance.com0%Avira URL Cloudsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      airseaalliance.com
                      		135.181.211.109
                      		truetrueunknown
                      mail.airseaalliance.com
                      		unknown
                      		unknowntrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1qOthJCpJ8E.exe, 00000004.00000002.607696805.0000000002B81000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.apache.org/licenses/LICENSE-2.0qOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.comqOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com/designersGqOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpfalse
                              		high
                              http://DynDns.comDynDNSqOthJCpJ8E.exe, 00000004.00000002.607696805.0000000002B81000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.rspb.org.uk/wildlife/birdguide/name/qOthJCpJ8E.exefalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designers/?qOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpfalse
                                		high
                                http://www.founder.com.cn/cn/bTheqOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haqOthJCpJ8E.exe, 00000004.00000002.607696805.0000000002B81000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers?qOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.tiro.comqOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designersqOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.goodfont.co.krqOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-joAyqOthJCpJ8E.exe, 00000002.00000003.344939105.0000000000D6D000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.carterandcone.comlqOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sajatypeworks.comqOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.typography.netDqOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://airseaalliance.comqOthJCpJ8E.exe, 00000004.00000002.609099464.0000000002EEE000.00000004.00000001.sdmptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/cabarga.htmlNqOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cn/cTheqOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://b1mW8jjfSsi.comqOthJCpJ8E.exe, 00000004.00000002.609055198.0000000002EE4000.00000004.00000001.sdmp, qOthJCpJ8E.exe, 00000004.00000002.607696805.0000000002B81000.00000004.00000001.sdmp, qOthJCpJ8E.exe, 00000004.00000002.609182262.0000000002EFC000.00000004.00000001.sdmp, qOthJCpJ8E.exe, 00000004.00000002.609099464.0000000002EEE000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.galapagosdesign.com/staff/dennis.htmqOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://fontfabrik.comqOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.founder.com.cn/cnqOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://NKPyoe.comqOthJCpJ8E.exe, 00000004.00000002.607696805.0000000002B81000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/frere-jones.htmlqOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.jiyu-kobo.co.jp/qOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/DPleaseqOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers8qOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpfalse
                                            		high
                                            https://api.ipify.org%GETMozilla/5.0qOthJCpJ8E.exe, 00000004.00000002.607696805.0000000002B81000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		low
                                            http://www.fonts.comqOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.sandoll.co.krqOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://mail.airseaalliance.comqOthJCpJ8E.exe, 00000004.00000002.609099464.0000000002EEE000.00000004.00000001.sdmptrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.urwpp.deDPleaseqOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.zhongyicts.com.cnqOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.sakkal.comqOthJCpJ8E.exe, 00000002.00000002.357282408.00000000069E2000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://api.ipify.org%qOthJCpJ8E.exe, 00000004.00000002.607696805.0000000002B81000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		low
                                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipqOthJCpJ8E.exe, 00000002.00000002.355601283.0000000003911000.00000004.00000001.sdmp, qOthJCpJ8E.exe, 00000004.00000002.601109843.0000000000402000.00000040.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown

                                              Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public

                                              IPDomainCountryFlagASNASN NameMalicious
                                              135.181.211.109
                                              		airseaalliance.comGermany
                                              		24940HETZNER-ASDEtrue

                                              General Information

                                              Joe Sandbox Version:33.0.0 White Diamond
                                              Analysis ID:491500
                                              Start date:27.09.2021
                                              Start time:16:39:39
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 9m 33s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Sample file name:qOthJCpJ8E (renamed file extension from none to exe)
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:21
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@3/1@2/1
                                              EGA Information:Failed
                                              HDC Information:
                                              • Successful, ratio: 0.5% (good quality ratio 0.4%)
                                              • Quality average: 60.2%
                                              • Quality standard deviation: 30.4%
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 33
                                              • Number of non-executed functions: 3
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                              • Excluded IPs from analysis (whitelisted): 2.18.108.150, 93.184.220.29, 20.82.210.154, 23.0.174.200, 23.0.174.185, 20.54.110.249, 40.112.88.60, 23.10.249.43, 23.10.249.26, 95.100.54.203, 20.50.102.62
                                              • Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, cdn.onenote.net.edgekey.net, ocsp.digicert.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, cdn.onenote.net, prod.fs.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e1553.dspg.akamaiedge.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              16:40:40API Interceptor706x Sleep call for process: qOthJCpJ8E.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              135.181.211.109Reciept_02737279293.exeGet hashmaliciousBrowse
                                              • airseaalliance.com/wp-admin/lib/fre.php

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              airseaalliance.comReciept_02737279293.exeGet hashmaliciousBrowse
                                              • 135.181.211.109
                                              0939489392303224233.exeGet hashmaliciousBrowse
                                              • 198.136.51.123
                                              0939489392303224233.exeGet hashmaliciousBrowse
                                              • 198.136.51.123
                                              NEW URGENT ORDER FROM PUK ITALIA GROUP SRL.EXEGet hashmaliciousBrowse
                                              • 198.136.51.123
                                              cap.exeGet hashmaliciousBrowse
                                              • 198.136.51.123
                                              USD67,884.08_Payment_Advise_9083008849.exeGet hashmaliciousBrowse
                                              • 198.136.51.123

                                              ASN

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              HETZNER-ASDE7XmWGse79x.exeGet hashmaliciousBrowse
                                              • 88.99.75.82
                                              m5W1BZQU4m.exeGet hashmaliciousBrowse
                                              • 88.99.75.82
                                              hHsIHUGICB.exeGet hashmaliciousBrowse
                                              • 88.99.75.82
                                              NOgYb2fHbO.exeGet hashmaliciousBrowse
                                              • 88.99.75.82
                                              vKTd7I2OdfBzkW2.exeGet hashmaliciousBrowse
                                              • 136.243.159.53
                                              VwDvbAowp0.exeGet hashmaliciousBrowse
                                              • 88.99.75.82
                                              lXy3MnXJ83.exeGet hashmaliciousBrowse
                                              • 88.99.75.82
                                              SebwAujas5.exeGet hashmaliciousBrowse
                                              • 88.99.75.82
                                              nxW9yUgdYM.exeGet hashmaliciousBrowse
                                              • 88.99.75.82
                                              Ov3tXE6rdw.exeGet hashmaliciousBrowse
                                              • 168.119.93.163
                                              cxBR3cCGTw.exeGet hashmaliciousBrowse
                                              • 88.99.75.82
                                              Confirmation de cdeclient_5045009.xlsxGet hashmaliciousBrowse
                                              • 168.119.93.163
                                              KI7JhXnhm9.exeGet hashmaliciousBrowse
                                              • 136.243.159.53
                                              k5THcVgINl.exeGet hashmaliciousBrowse
                                              • 88.99.75.82
                                              b2i2IopgOC.exeGet hashmaliciousBrowse
                                              • 88.99.75.82
                                              G2BPn4a7o1.exeGet hashmaliciousBrowse
                                              • 88.99.75.82
                                              New Price List.xlsxGet hashmaliciousBrowse
                                              • 136.243.159.53
                                              qOsCIQD1uR.exeGet hashmaliciousBrowse
                                              • 88.99.75.82
                                              FedEx Shipment Documents.exeGet hashmaliciousBrowse
                                              • 136.243.159.53
                                              NC7bm1PoKj.exeGet hashmaliciousBrowse
                                              • 88.99.75.82

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\qOthJCpJ8E.exe.log
                                              Process:C:\Users\user\Desktop\qOthJCpJ8E.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1309
                                              Entropy (8bit):5.3528008810928345
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84aE4Ks:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzg
                                              MD5:542338C5A30B02E372089FECDC54D607
                                              SHA1:6FAD29FF14686FC847B160E876C1E078333F6DCB
                                              SHA-256:6CEA4E70947B962733754346CE49553BE3FB6E1FB3949C29EC22FA9CA4B7E7B6
                                              SHA-512:FE4431305A8958C4940EB4AC65723A38DA6057C3D30F789C6EDDEBA8962B62E9C0583254E74740855027CF3AE9315E3001A7EEB54168073ED0D2AB9B1F05503A
                                              Malicious:true
                                              Reputation:moderate, very likely benign file
                                              Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):6.8234614068068815
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              • DOS Executable Generic (2002/1) 0.01%
                                              File name:qOthJCpJ8E.exe
                                              File size:882176
                                              MD5:b0a10bd27d48fea4e569797829057892
                                              SHA1:5909c3383e27a1c5e7edcadd5319b31d2813df12
                                              SHA256:4e63cadd6aa91bc65755bd2b4035a3451cbc4854ed2817ac08941919f892f7e7
                                              SHA512:76434b2b0731013ab311035f84986b9385ec2db89c178e74e7f7ec0987bbcfefebe4202756b50c922b30c5e69cc02c2bec4f92687b960cd299c5c4cb0521d290
                                              SSDEEP:12288:fycRcIcGRiuoBQnxcsDA7Mg+Svq4DPp9KDwu43oO3yYeQEi2RA/2xYBSzz2DNBcF:n2IFjF+3e+vms2bC/UP1QHeF+G
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&Qa..............0.................. ........@.. ....................................@................................

                                              File Icon

                                              Icon Hash:138e8eccece8cccc

                                              Static PE Info

                                              General

                                              Entrypoint:0x4bfade
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                              Time Stamp:0x6151269F [Mon Sep 27 02:04:15 2021 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:v4.0.30319
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xbfa8c0x4f.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x19484.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xda0000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000xbdae40xbdc00False0.686987915843data7.07581849985IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                              .rsrc0xc00000x194840x19600False0.391895012315data4.29878052475IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0xda0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountry
                                              RT_ICON0xc01800x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                              RT_ICON0xd09b80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
                                              RT_ICON0xd4bf00x25a8data
                                              RT_ICON0xd71a80x10a8data
                                              RT_ICON0xd82600x468GLS_BINARY_LSB_FIRST
                                              RT_GROUP_ICON0xd86d80x4cdata
                                              RT_VERSION0xd87340x38cPGP symmetric key encrypted data - Plaintext or unencrypted data
                                              RT_MANIFEST0xd8ad00x9b0XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Version Infos

                                              DescriptionData
                                              Translation0x0000 0x04b0
                                              LegalCopyrightCopyright F@Soft
                                              Assembly Version1.0.6.2
                                              InternalNameContractArgumentValidatorAttribu.exe
                                              FileVersion1.0.6.0
                                              CompanyNameF@Soft
                                              LegalTrademarks
                                              Comments
                                              ProductNameDarwin AW
                                              ProductVersion1.0.6.0
                                              FileDescriptionDarwin AW
                                              OriginalFilenameContractArgumentValidatorAttribu.exe

                                              Network Behavior

                                              Snort IDS Alerts

                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              09/27/21-16:42:31.140086TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49804587192.168.2.6135.181.211.109

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Sep 27, 2021 16:42:30.611304998 CEST49804587192.168.2.6135.181.211.109
                                              Sep 27, 2021 16:42:30.663005114 CEST58749804135.181.211.109192.168.2.6
                                              Sep 27, 2021 16:42:30.663153887 CEST49804587192.168.2.6135.181.211.109
                                              Sep 27, 2021 16:42:30.791960001 CEST58749804135.181.211.109192.168.2.6
                                              Sep 27, 2021 16:42:30.792556047 CEST49804587192.168.2.6135.181.211.109
                                              Sep 27, 2021 16:42:30.846227884 CEST58749804135.181.211.109192.168.2.6
                                              Sep 27, 2021 16:42:30.849085093 CEST49804587192.168.2.6135.181.211.109
                                              Sep 27, 2021 16:42:30.901623964 CEST58749804135.181.211.109192.168.2.6
                                              Sep 27, 2021 16:42:30.902833939 CEST49804587192.168.2.6135.181.211.109
                                              Sep 27, 2021 16:42:30.967454910 CEST58749804135.181.211.109192.168.2.6
                                              Sep 27, 2021 16:42:30.968766928 CEST49804587192.168.2.6135.181.211.109
                                              Sep 27, 2021 16:42:31.021490097 CEST58749804135.181.211.109192.168.2.6
                                              Sep 27, 2021 16:42:31.022263050 CEST49804587192.168.2.6135.181.211.109
                                              Sep 27, 2021 16:42:31.085663080 CEST58749804135.181.211.109192.168.2.6
                                              Sep 27, 2021 16:42:31.086240053 CEST49804587192.168.2.6135.181.211.109
                                              Sep 27, 2021 16:42:31.138077021 CEST58749804135.181.211.109192.168.2.6
                                              Sep 27, 2021 16:42:31.138175011 CEST58749804135.181.211.109192.168.2.6
                                              Sep 27, 2021 16:42:31.140085936 CEST49804587192.168.2.6135.181.211.109
                                              Sep 27, 2021 16:42:31.140113115 CEST49804587192.168.2.6135.181.211.109
                                              Sep 27, 2021 16:42:31.140911102 CEST49804587192.168.2.6135.181.211.109
                                              Sep 27, 2021 16:42:31.141004086 CEST49804587192.168.2.6135.181.211.109
                                              Sep 27, 2021 16:42:31.192779064 CEST58749804135.181.211.109192.168.2.6
                                              Sep 27, 2021 16:42:31.193581104 CEST58749804135.181.211.109192.168.2.6
                                              Sep 27, 2021 16:42:31.194349051 CEST58749804135.181.211.109192.168.2.6
                                              Sep 27, 2021 16:42:31.235061884 CEST49804587192.168.2.6135.181.211.109

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Sep 27, 2021 16:40:57.261178017 CEST6379153192.168.2.68.8.8.8
                                              Sep 27, 2021 16:40:57.279398918 CEST53637918.8.8.8192.168.2.6
                                              Sep 27, 2021 16:40:58.150991917 CEST6426753192.168.2.68.8.8.8
                                              Sep 27, 2021 16:40:58.164597034 CEST53642678.8.8.8192.168.2.6
                                              Sep 27, 2021 16:41:00.153673887 CEST4944853192.168.2.68.8.8.8
                                              Sep 27, 2021 16:41:00.167629004 CEST53494488.8.8.8192.168.2.6
                                              Sep 27, 2021 16:41:19.366343021 CEST6034253192.168.2.68.8.8.8
                                              Sep 27, 2021 16:41:19.396732092 CEST53603428.8.8.8192.168.2.6
                                              Sep 27, 2021 16:41:20.325140953 CEST6134653192.168.2.68.8.8.8
                                              Sep 27, 2021 16:41:20.394782066 CEST53613468.8.8.8192.168.2.6
                                              Sep 27, 2021 16:41:20.943948984 CEST5177453192.168.2.68.8.8.8
                                              Sep 27, 2021 16:41:20.958260059 CEST53517748.8.8.8192.168.2.6
                                              Sep 27, 2021 16:41:21.445349932 CEST5602353192.168.2.68.8.8.8
                                              Sep 27, 2021 16:41:21.545151949 CEST53560238.8.8.8192.168.2.6
                                              Sep 27, 2021 16:41:21.903871059 CEST5838453192.168.2.68.8.8.8
                                              Sep 27, 2021 16:41:21.919315100 CEST53583848.8.8.8192.168.2.6
                                              Sep 27, 2021 16:41:21.987421036 CEST6026153192.168.2.68.8.8.8
                                              Sep 27, 2021 16:41:22.000401020 CEST53602618.8.8.8192.168.2.6
                                              Sep 27, 2021 16:41:22.380311012 CEST5606153192.168.2.68.8.8.8
                                              Sep 27, 2021 16:41:22.393881083 CEST53560618.8.8.8192.168.2.6
                                              Sep 27, 2021 16:41:22.796385050 CEST5833653192.168.2.68.8.8.8
                                              Sep 27, 2021 16:41:22.809679031 CEST53583368.8.8.8192.168.2.6
                                              Sep 27, 2021 16:41:23.215997934 CEST5378153192.168.2.68.8.8.8
                                              Sep 27, 2021 16:41:23.310338974 CEST53537818.8.8.8192.168.2.6
                                              Sep 27, 2021 16:41:24.006201029 CEST5406453192.168.2.68.8.8.8
                                              Sep 27, 2021 16:41:24.019093037 CEST53540648.8.8.8192.168.2.6
                                              Sep 27, 2021 16:41:25.469414949 CEST5281153192.168.2.68.8.8.8
                                              Sep 27, 2021 16:41:25.483047009 CEST53528118.8.8.8192.168.2.6
                                              Sep 27, 2021 16:41:25.909734011 CEST5529953192.168.2.68.8.8.8
                                              Sep 27, 2021 16:41:25.922770023 CEST53552998.8.8.8192.168.2.6
                                              Sep 27, 2021 16:41:37.814781904 CEST6374553192.168.2.68.8.8.8
                                              Sep 27, 2021 16:41:37.833616018 CEST53637458.8.8.8192.168.2.6
                                              Sep 27, 2021 16:42:02.722985029 CEST5005553192.168.2.68.8.8.8
                                              Sep 27, 2021 16:42:02.789666891 CEST53500558.8.8.8192.168.2.6
                                              Sep 27, 2021 16:42:08.505712032 CEST6137453192.168.2.68.8.8.8
                                              Sep 27, 2021 16:42:08.518668890 CEST53613748.8.8.8192.168.2.6
                                              Sep 27, 2021 16:42:09.618330956 CEST5033953192.168.2.68.8.8.8
                                              Sep 27, 2021 16:42:09.652004957 CEST53503398.8.8.8192.168.2.6
                                              Sep 27, 2021 16:42:30.037147045 CEST6330753192.168.2.68.8.8.8
                                              Sep 27, 2021 16:42:30.094520092 CEST53633078.8.8.8192.168.2.6
                                              Sep 27, 2021 16:42:30.419327974 CEST4969453192.168.2.68.8.8.8
                                              Sep 27, 2021 16:42:30.478144884 CEST53496948.8.8.8192.168.2.6
                                              Sep 27, 2021 16:42:41.668550014 CEST5498253192.168.2.68.8.8.8
                                              Sep 27, 2021 16:42:41.700897932 CEST53549828.8.8.8192.168.2.6

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              Sep 27, 2021 16:42:30.037147045 CEST192.168.2.68.8.8.80x509Standard query (0)mail.airseaalliance.comA (IP address)IN (0x0001)
                                              Sep 27, 2021 16:42:30.419327974 CEST192.168.2.68.8.8.80xebdStandard query (0)mail.airseaalliance.comA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              Sep 27, 2021 16:42:30.094520092 CEST8.8.8.8192.168.2.60x509No error (0)mail.airseaalliance.comairseaalliance.comCNAME (Canonical name)IN (0x0001)
                                              Sep 27, 2021 16:42:30.094520092 CEST8.8.8.8192.168.2.60x509No error (0)airseaalliance.com135.181.211.109A (IP address)IN (0x0001)
                                              Sep 27, 2021 16:42:30.478144884 CEST8.8.8.8192.168.2.60xebdNo error (0)mail.airseaalliance.comairseaalliance.comCNAME (Canonical name)IN (0x0001)
                                              Sep 27, 2021 16:42:30.478144884 CEST8.8.8.8192.168.2.60xebdNo error (0)airseaalliance.com135.181.211.109A (IP address)IN (0x0001)

                                              SMTP Packets

                                              TimestampSource PortDest PortSource IPDest IPCommands
                                              Sep 27, 2021 16:42:30.791960001 CEST58749804135.181.211.109192.168.2.6220-lin90.itlinks.com ESMTP Exim 4.94.2 #2 Mon, 27 Sep 2021 16:42:30 +0200
                                              220-We do not authorize the use of this system to transport unsolicited,
                                              220 and/or bulk e-mail.
                                              Sep 27, 2021 16:42:30.792556047 CEST49804587192.168.2.6135.181.211.109EHLO 302494
                                              Sep 27, 2021 16:42:30.846227884 CEST58749804135.181.211.109192.168.2.6250-lin90.itlinks.com Hello 302494 [185.189.150.72]
                                              250-SIZE 52428800
                                              250-8BITMIME
                                              250-PIPELINING
                                              250-PIPE_CONNECT
                                              250-AUTH PLAIN LOGIN
                                              250-STARTTLS
                                              250 HELP
                                              Sep 27, 2021 16:42:30.849085093 CEST49804587192.168.2.6135.181.211.109AUTH login YWRtaW5AYWlyc2VhYWxsaWFuY2UuY29t
                                              Sep 27, 2021 16:42:30.901623964 CEST58749804135.181.211.109192.168.2.6334 UGFzc3dvcmQ6
                                              Sep 27, 2021 16:42:30.967454910 CEST58749804135.181.211.109192.168.2.6235 Authentication succeeded
                                              Sep 27, 2021 16:42:30.968766928 CEST49804587192.168.2.6135.181.211.109MAIL FROM:<admin@airseaalliance.com>
                                              Sep 27, 2021 16:42:31.021490097 CEST58749804135.181.211.109192.168.2.6250 OK
                                              Sep 27, 2021 16:42:31.022263050 CEST49804587192.168.2.6135.181.211.109RCPT TO:<admin@airseaalliance.com>
                                              Sep 27, 2021 16:42:31.085663080 CEST58749804135.181.211.109192.168.2.6250 Accepted
                                              Sep 27, 2021 16:42:31.086240053 CEST49804587192.168.2.6135.181.211.109DATA
                                              Sep 27, 2021 16:42:31.138175011 CEST58749804135.181.211.109192.168.2.6354 Enter message, ending with "." on a line by itself
                                              Sep 27, 2021 16:42:31.141004086 CEST49804587192.168.2.6135.181.211.109.
                                              Sep 27, 2021 16:42:31.194349051 CEST58749804135.181.211.109192.168.2.6250 OK id=1mUrpw-00Fj3O-17

                                              Code Manipulations

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              Analysis Process: qOthJCpJ8E.exe PID: 6764 Parent PID: 3864

                                              General

                                              Start time:16:40:32
                                              Start date:27/09/2021
                                              Path:C:\Users\user\Desktop\qOthJCpJ8E.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\user\Desktop\qOthJCpJ8E.exe'
                                              Imagebase:0x370000
                                              File size:882176 bytes
                                              MD5 hash:B0A10BD27D48FEA4E569797829057892
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000002.00000002.354431528.0000000002911000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000002.00000002.354577262.000000000298D000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.355601283.0000000003911000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.355601283.0000000003911000.00000004.00000001.sdmp, Author: Joe Security
                                              Reputation:low

                                              Chronological Activities

                                              Analysis Process: qOthJCpJ8E.exe PID: 6916 Parent PID: 6764

                                              General

                                              Start time:16:40:41
                                              Start date:27/09/2021
                                              Path:C:\Users\user\Desktop\qOthJCpJ8E.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\Desktop\qOthJCpJ8E.exe
                                              Imagebase:0x770000
                                              File size:882176 bytes
                                              MD5 hash:B0A10BD27D48FEA4E569797829057892
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.607696805.0000000002B81000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.607696805.0000000002B81000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.601109843.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.601109843.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                              Reputation:low

                                              Chronological Activities

                                              Disassembly

                                              Code Analysis

                                              Reset < >

                                                Analysis Process: qOthJCpJ8E.exe PID: 6764 Parent PID: 3864 qOthJCpJ8E.exeCOMMON

                                                Executed Functions

                                                Function 00D49410, Relevance: 1.7, APIs: 1, Instructions: 192COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00D49656
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.354067111.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: abcbce14ccb7e7117643ece3a744ef07355364e78d974c8f5d1991b433e340a3
                                                • Instruction ID: de8448eab8ffccba2f122af78efbbef421b76dd32e5c147580989bc109a0897d
                                                • Opcode Fuzzy Hash: abcbce14ccb7e7117643ece3a744ef07355364e78d974c8f5d1991b433e340a3
                                                • Instruction Fuzzy Hash: 727114B0A00B058FDB24DF6AD05179AB7F5BB88314F14892DE44ADBA40DB75E906CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00D4DE80, Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.354067111.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 633753ba230fdbe05a0c7b6832e77c708518d1c8ed81a9aa11fcd54a8c2483a9
                                                • Instruction ID: 0c79d0948d5e0a4b96d641df3f0a946bdefaff15cc4a5455c489faafc7ca418b
                                                • Opcode Fuzzy Hash: 633753ba230fdbe05a0c7b6832e77c708518d1c8ed81a9aa11fcd54a8c2483a9
                                                • Instruction Fuzzy Hash: 635133B1C00349DFDB11CFA9C880ADEBFB1BF48314F25852AE415AB221D774A885CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00D4DE20, Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00D4FE8A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.354067111.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: eff379554f620ee9634346a9ceed135e451e97a2189beaad9ee9dad3cc1893d9
                                                • Instruction ID: bc365ed8a89ddb81f43c41de3a6596f4820e340652230ba9381d409535bde6c5
                                                • Opcode Fuzzy Hash: eff379554f620ee9634346a9ceed135e451e97a2189beaad9ee9dad3cc1893d9
                                                • Instruction Fuzzy Hash: 3551F1B1C00348DFDB15CFA9C880ADEBFB5BF48314F25852AE415AB221D7759985CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00D4FD6C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00D4FE8A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.354067111.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: 5841ea4e739223cf20d43037c4928db9c30d943f756d77d77d00096c1c1d6f36
                                                • Instruction ID: f809d094a3f3152b9675f320992748286ff7f56a1187f5c803354366be71472c
                                                • Opcode Fuzzy Hash: 5841ea4e739223cf20d43037c4928db9c30d943f756d77d77d00096c1c1d6f36
                                                • Instruction Fuzzy Hash: E951C0B1D00309DFDB14CF99C881ADEBBB5BF48314F24852AE819AB260D775A985CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00D4DE3C, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00D4FE8A
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.354067111.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: 3a7be24d4e924741506c17209d60c1596a5bf6e9e25a36785e12d3b0b50dbddc
                                                • Instruction ID: 2c66450928eed07d12cc9e801372715e19f9705d4e8c4b6d3dbfbff2fbf9ca18
                                                • Opcode Fuzzy Hash: 3a7be24d4e924741506c17209d60c1596a5bf6e9e25a36785e12d3b0b50dbddc
                                                • Instruction Fuzzy Hash: 1451B2B1D003499FDF14CF99C884ADEBBB5FF48314F24852AE419AB260D7759945CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00D45364, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 00D45421
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.354067111.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 00bc60f30308ae5107969b764ad6f92b7849a90080fae92954e2eefdb1414fb8
                                                • Instruction ID: 29cef217425db74403035a753cedf4e97cf6a6be01683ab11fe8ab4c5d2f8a64
                                                • Opcode Fuzzy Hash: 00bc60f30308ae5107969b764ad6f92b7849a90080fae92954e2eefdb1414fb8
                                                • Instruction Fuzzy Hash: B9410571C00618CFDB24DFA9D8447DDBBF5BF48308F248469D408AB255E775698ACF60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00D43E40, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 00D45421
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.354067111.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 21b974592042031930872978f501ba968968af6330ea23786f798c7d296a0bd8
                                                • Instruction ID: 620702ececf44bcb22b611fd50d57b4b1fc5edec7218fcf3d808c9e5d935cdca
                                                • Opcode Fuzzy Hash: 21b974592042031930872978f501ba968968af6330ea23786f798c7d296a0bd8
                                                • Instruction Fuzzy Hash: 3441D471C00618CFDB24DFA9C8447DEBBF5BF49308F248569D408AB255E7766989CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 04E5E954, Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                Download Yara Rule
                                                APIs
                                                • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,04E5EF9D,?,?), ref: 04E5F04F
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.356356503.0000000004E50000.00000040.00000001.sdmp, Offset: 04E50000, based on PE: false
                                                Similarity
                                                • API ID: DrawText
                                                • String ID:
                                                • API String ID: 2175133113-0
                                                • Opcode ID: 8853d27e118f4ff087a7b319c34e559a7ebc57ab77fc80fc13575b3d4a617020
                                                • Instruction ID: 58adafa37141fae7d8a0b8ae251e44912b27d78e0073fa027dd85c09a2b4099b
                                                • Opcode Fuzzy Hash: 8853d27e118f4ff087a7b319c34e559a7ebc57ab77fc80fc13575b3d4a617020
                                                • Instruction Fuzzy Hash: FF31C5B5D002099FDB10CF99D884ADEFBF9FB48324F18842AE915A7310D775A954CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00D4A134, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00D4B8FE,?,?,?,?,?), ref: 00D4B9BF
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.354067111.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: b58e59f977830476edec6806b9765486545bdff4332712ffaaaccf662fcd3f22
                                                • Instruction ID: 9e5413603793baa59ee7573253343e4fc33e80411eb6c5fb2abee69bf2c7c58c
                                                • Opcode Fuzzy Hash: b58e59f977830476edec6806b9765486545bdff4332712ffaaaccf662fcd3f22
                                                • Instruction Fuzzy Hash: AD21E4B5900248AFDB10CF9AD484AEEBBF8FB48324F14841AE914A7310D374A954CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00D4B930, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00D4B8FE,?,?,?,?,?), ref: 00D4B9BF
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.354067111.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 7dd58a6a03a579bfe577f1b30456366b48585933033d896983b06fd920a73abf
                                                • Instruction ID: 14d1cbf04b6486f37447cf1aa3de88da56cb326d0c41455441d56a4837401337
                                                • Opcode Fuzzy Hash: 7dd58a6a03a579bfe577f1b30456366b48585933033d896983b06fd920a73abf
                                                • Instruction Fuzzy Hash: 4F21E2B5D00249DFDB00CFA9D484ADEBBF9FB48324F14841AE914A7310D778A954CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00D48780, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00D496D1,00000800,00000000,00000000), ref: 00D498E2
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.354067111.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 62573f57029ec170605b4ba459f55c6786cd23a7af2f3231eba1f097b3101c52
                                                • Instruction ID: 896f83e3f7528e180e218390451e9a681369063f54e8546582998623cdb67335
                                                • Opcode Fuzzy Hash: 62573f57029ec170605b4ba459f55c6786cd23a7af2f3231eba1f097b3101c52
                                                • Instruction Fuzzy Hash: 031103B6D002499FDB10CF9AC444ADFFBF8EB89324F14842AE419A7200C375A945CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00D49873, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00D496D1,00000800,00000000,00000000), ref: 00D498E2
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.354067111.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: dab59a71d1d55616385508909461e319789ad174e89e0f307f5a42c56e3f4dbe
                                                • Instruction ID: 4bb3f24ad0605967c996fac7d2bf3240c78d1a2674841df5096a105c54452b0d
                                                • Opcode Fuzzy Hash: dab59a71d1d55616385508909461e319789ad174e89e0f307f5a42c56e3f4dbe
                                                • Instruction Fuzzy Hash: 5111F6B6D002499FDB10CF9AD484ADFFBF4EB89324F14842AD419A7600D775A945CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00D495F0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00D49656
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.354067111.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 3c9f47cd4e27fb27984a79d419a53382f36f80562699371651e5426d3422d2e6
                                                • Instruction ID: b030c3e4a400c9704434fbd05882329aeb987939616114d1b2bc249d1dfca886
                                                • Opcode Fuzzy Hash: 3c9f47cd4e27fb27984a79d419a53382f36f80562699371651e5426d3422d2e6
                                                • Instruction Fuzzy Hash: AA11DFB5C006498FCB20CF9AD444ADFFBF8AB89324F19842AD429A7600D379A545CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C4D1D4, Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.353897722.0000000000C4D000.00000040.00000001.sdmp, Offset: 00C4D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8ac6a346870bf375784039a96ae4a0ac9c361c1d757bb922625df4a9ae59c2e1
                                                • Instruction ID: a9c1bb6c8ef943322dfc4c153ed53297d241539d1c82c79ee660f4d6b85483b4
                                                • Opcode Fuzzy Hash: 8ac6a346870bf375784039a96ae4a0ac9c361c1d757bb922625df4a9ae59c2e1
                                                • Instruction Fuzzy Hash: 94212971604200DFDB11EF50D5C0B16BBA5FB84328F24CAADE80A4B346C3B6DC56CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C4D01C, Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.353897722.0000000000C4D000.00000040.00000001.sdmp, Offset: 00C4D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f4de00ea1b0c7666734173beaa7ff4ae9aed85550a0b569ec21103e80134a097
                                                • Instruction ID: 91228be34a266637b7ce67fda01fb46d3b13f4c567c814f1cf82b2d5e3aefc72
                                                • Opcode Fuzzy Hash: f4de00ea1b0c7666734173beaa7ff4ae9aed85550a0b569ec21103e80134a097
                                                • Instruction Fuzzy Hash: 1A21F271604240DFDB14EF50D9C4B16BB65FB84324F24C9AEE80A4B246C33AD856CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C4D005, Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.353897722.0000000000C4D000.00000040.00000001.sdmp, Offset: 00C4D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 770c7217069deaf535aca921faf004fe4184be8004e6e6e6d4d102fb4435b2a9
                                                • Instruction ID: 1be39949c15836d4ddaf96f902bdd710594a8424fd2f9346b90665dcb1b353bb
                                                • Opcode Fuzzy Hash: 770c7217069deaf535aca921faf004fe4184be8004e6e6e6d4d102fb4435b2a9
                                                • Instruction Fuzzy Hash: BE218E755093C08FCB02DF20D994B15BF71FB46314F28C5EAD8498B6A7C33A980ACB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C4D1CF, Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.353897722.0000000000C4D000.00000040.00000001.sdmp, Offset: 00C4D000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 03a6aa8af582cc9395ba93de792f946ae331512fa05d3b1ca49f3c75251244b0
                                                • Instruction ID: 79ceafafa246121fcf23d4e23c740f2441a0b9aaf8555ecc92c33be090b46331
                                                • Opcode Fuzzy Hash: 03a6aa8af582cc9395ba93de792f946ae331512fa05d3b1ca49f3c75251244b0
                                                • Instruction Fuzzy Hash: C1118B75904280DFCB11DF10D5C4B15BBA2FB84324F28C6ADD84A4B656C37AD95ACB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 00D4E5F0, Relevance: .3, Instructions: 315COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.354067111.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: adab005a93e263b292e9758329a89c1c9ed795832a42c29865a07ef70cf61b33
                                                • Instruction ID: a18cd39afdcd9870710a1237a28b18d12a29c8006c02c5dd21983dd0d739253d
                                                • Opcode Fuzzy Hash: adab005a93e263b292e9758329a89c1c9ed795832a42c29865a07ef70cf61b33
                                                • Instruction Fuzzy Hash: BD12B5F1C937668BE310CF65E8885893F71B785329BD1CB09D261AEAD0D7B4116ACF48
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00D4C194, Relevance: .3, Instructions: 265COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.354067111.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a9fc068acb7c9605eb23cd58bb829dc48826dfd8d3534eeed7973ef7756c8fd7
                                                • Instruction ID: 4a7357b8592563b3586baef1f11c188f53f00d8571889c5378cb627800bfc608
                                                • Opcode Fuzzy Hash: a9fc068acb7c9605eb23cd58bb829dc48826dfd8d3534eeed7973ef7756c8fd7
                                                • Instruction Fuzzy Hash: 7BA17D32E10219CFCF15DFA5C8845DEBBB2FF85300B19856AE905FB261EB71A905CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00D4E5E0, Relevance: .2, Instructions: 224COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000002.00000002.354067111.0000000000D40000.00000040.00000001.sdmp, Offset: 00D40000, based on PE: false
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 19259ef079cb67b91672cf751fda258bdb6b9f2e257894f39e0dd185ee7e3ac5
                                                • Instruction ID: ca9af56181e8d0473887dccd3cf5176eea9de5b9112f1cc5c55b8ce1dfd0c499
                                                • Opcode Fuzzy Hash: 19259ef079cb67b91672cf751fda258bdb6b9f2e257894f39e0dd185ee7e3ac5
                                                • Instruction Fuzzy Hash: 2AC10BB1C927668BD710CF65E8881897F71BB85328FD1CB09D261AF6D0D7B4146ACF48
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Analysis Process: qOthJCpJ8E.exe PID: 6916 Parent PID: 6764 qOthJCpJ8E.exeCOMMON

                                                Executed Functions

                                                Function 00C6F03F, Relevance: 2.3, APIs: 1, Instructions: 758libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.602831910.0000000000C60000.00000040.00000001.sdmp, Offset: 00C60000, based on PE: false
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 227cf204f986dd9463305f34e0a63e16a9721ca4595eec8b0427f2639f9595de
                                                • Instruction ID: 88627c5a18d8359fb8ea3467d1edd0d57aeeee4b3615c5c1ad5b90dd61fe18d7
                                                • Opcode Fuzzy Hash: 227cf204f986dd9463305f34e0a63e16a9721ca4595eec8b0427f2639f9595de
                                                • Instruction Fuzzy Hash: D6621770E047188FCB24EF78D89469DB7B2AF89304F1185A9D54AAB354EF309E85CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C51FA8, Relevance: 1.7, APIs: 1, Instructions: 212libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.602716955.0000000000C50000.00000040.00000001.sdmp, Offset: 00C50000, based on PE: false
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: bdec5b88dbafbe250eeafc46bf69a35fdbd5383351f2b4f792730dce203c139e
                                                • Instruction ID: 6bc1e10e1d91ddf5566cce854daf95f5de1d4bc91c2bcc8caea5b819a43c0d22
                                                • Opcode Fuzzy Hash: bdec5b88dbafbe250eeafc46bf69a35fdbd5383351f2b4f792730dce203c139e
                                                • Instruction Fuzzy Hash: DA719D34A043048FDB14EBB5D8587AEB7F1AF85305F108828E816E7395DF399D89CB64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F6691F, Relevance: 6.1, APIs: 4, Instructions: 136threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 00F669A0
                                                • GetCurrentThread.KERNEL32 ref: 00F669DD
                                                • GetCurrentProcess.KERNEL32 ref: 00F66A1A
                                                • GetCurrentThreadId.KERNEL32 ref: 00F66A73
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.606852969.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: c1678f85d4cb11c89f5b019bd09d94b71e132f434e0adb36d4e4c97dcf96cbb2
                                                • Instruction ID: d495b72a6d4437bfbf1b7fa3bc31664b20446bb544b86b2349bb0d385609aaca
                                                • Opcode Fuzzy Hash: c1678f85d4cb11c89f5b019bd09d94b71e132f434e0adb36d4e4c97dcf96cbb2
                                                • Instruction Fuzzy Hash: D25166B09002488FDB14CFAAD588BDEBFF4EF89314F24845EE458A7291D7756888CB65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F66940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 00F669A0
                                                • GetCurrentThread.KERNEL32 ref: 00F669DD
                                                • GetCurrentProcess.KERNEL32 ref: 00F66A1A
                                                • GetCurrentThreadId.KERNEL32 ref: 00F66A73
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.606852969.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 01fddce7a60cb7dee71e228c2468a8a410fb0cda2520194ebdd7344286edcb05
                                                • Instruction ID: 18fe8b22955943af598ac6175a2ab0499692268293deb60d21b877fa36baefa1
                                                • Opcode Fuzzy Hash: 01fddce7a60cb7dee71e228c2468a8a410fb0cda2520194ebdd7344286edcb05
                                                • Instruction Fuzzy Hash: 4D5131B0D002488FDB18CFAAD648BDEBBF4FF88314F24846AE419B7250D7756884CB65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C60B18, Relevance: 1.9, APIs: 1, Instructions: 433libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.602831910.0000000000C60000.00000040.00000001.sdmp, Offset: 00C60000, based on PE: false
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 54e1f5b119aff17c09e60a2ae6ee90720c6eb9735d889089e0f49bdfd38d185a
                                                • Instruction ID: 113e40c2b82fa918d3d6cdd447d30665e7c3b2d58ee6fa6c82c6efc01413b535
                                                • Opcode Fuzzy Hash: 54e1f5b119aff17c09e60a2ae6ee90720c6eb9735d889089e0f49bdfd38d185a
                                                • Instruction Fuzzy Hash: F8E12730B042059FCB24EBB4D8956AE7BF6AF85304F244969D406EB396EF34DD05C7A2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F65084, Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00F651A2
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.606852969.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: 3b489ef4da56ab6a13eeb765b21f4ebaaa96ed11f9839e445c302058a8fd590f
                                                • Instruction ID: 90bda4b5d5f297b10272a8a8a69b9f12cebafd356a7575423023caa0bce331ec
                                                • Opcode Fuzzy Hash: 3b489ef4da56ab6a13eeb765b21f4ebaaa96ed11f9839e445c302058a8fd590f
                                                • Instruction Fuzzy Hash: 8F51DFB1D103189FDF14CFAAD884ADEBBB5FF89714F24812AE818AB210D7759845CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C60988, Relevance: 1.6, APIs: 1, Instructions: 115registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,00000000,?), ref: 00C60A91
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.602831910.0000000000C60000.00000040.00000001.sdmp, Offset: 00C60000, based on PE: false
                                                Similarity
                                                • API ID: QueryValue
                                                • String ID:
                                                • API String ID: 3660427363-0
                                                • Opcode ID: 841ec1f88ecc0ad1f8b885553f067d63c46a0253921e8ca0aadd8235f5896258
                                                • Instruction ID: 3245634fc9c509ea693205b36f7a29999cb8aa08ad275bdb699e683c147cea59
                                                • Opcode Fuzzy Hash: 841ec1f88ecc0ad1f8b885553f067d63c46a0253921e8ca0aadd8235f5896258
                                                • Instruction Fuzzy Hash: 3A41F7B1E003599FCB10CFD9C884A9EBBF5FB48750F258029E818BB255D7749945CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F65090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00F651A2
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.606852969.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: 60373a9adf41a90c1028733fb0d120a400ceb94d0a075c2ff417218cc39ae423
                                                • Instruction ID: 29d5be1f891e64f570c9e4c288a31e4631ae47e41542949b37838c033f0bc0ee
                                                • Opcode Fuzzy Hash: 60373a9adf41a90c1028733fb0d120a400ceb94d0a075c2ff417218cc39ae423
                                                • Instruction Fuzzy Hash: 8141CEB1D103189FDF14CF9AD884ADEBBB5FF89314F24812AE819AB210D7749885CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00C606D0, Relevance: 1.6, APIs: 1, Instructions: 109registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExW.KERNELBASE(?,00000000,?,00000001,?), ref: 00C607D4
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.602831910.0000000000C60000.00000040.00000001.sdmp, Offset: 00C60000, based on PE: false
                                                Similarity
                                                • API ID: Open
                                                • String ID:
                                                • API String ID: 71445658-0
                                                • Opcode ID: 3bfa952451705771e6be6a454d655658d2acb868ad1a2ce3b79f4fa6243e2764
                                                • Instruction ID: 6383f3e333386878095b2348c3c532f469a0b4155187bc85498b12d161a5f1b0
                                                • Opcode Fuzzy Hash: 3bfa952451705771e6be6a454d655658d2acb868ad1a2ce3b79f4fa6243e2764
                                                • Instruction Fuzzy Hash: 8D4125B1E013498FDB10CFA9C588A9EFBF5AF48314F28C16AE409AB341D7B59945CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F6779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                Download Yara Rule
                                                APIs
                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 00F67F09
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.606852969.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                                Similarity
                                                • API ID: CallProcWindow
                                                • String ID:
                                                • API String ID: 2714655100-0
                                                • Opcode ID: 8951a3b3ef1420efbc274e1581d68ac6c6c507187b709cc45044274723da0d2f
                                                • Instruction ID: 0c77249767d23cb11c53913cf2c6b665ee4796968e7d8affbcb7b0cb708d592f
                                                • Opcode Fuzzy Hash: 8951a3b3ef1420efbc274e1581d68ac6c6c507187b709cc45044274723da0d2f
                                                • Instruction Fuzzy Hash: 5B4158B59003058FCB14DF99C488AAABBF5FF88328F24C459E419AB321D375A845DFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F6C199, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlEncodePointer.NTDLL(00000000), ref: 00F6C222
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.606852969.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                                Similarity
                                                • API ID: EncodePointer
                                                • String ID:
                                                • API String ID: 2118026453-0
                                                • Opcode ID: c735e6146ff35ed424543c0b61ef97f05702c14b8103147518a9b20e9566e99a
                                                • Instruction ID: 70b7f55d7cca493835ae5ca29a643e96c0a6155f461d593a7f2c9dce2b421b1b
                                                • Opcode Fuzzy Hash: c735e6146ff35ed424543c0b61ef97f05702c14b8103147518a9b20e9566e99a
                                                • Instruction Fuzzy Hash: 4C31EF718043848FCB10EFA9E9083DA7FF4EB46714F18846AD488A7202D3795844DFE1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F66B62, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F66BEF
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.606852969.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 853b8c0e6d50aec1327ac0db4b8f92bf3e79b87eb7f52b4c39fd0f60c89f02d4
                                                • Instruction ID: b8416ecfb9fe2b7545d498c41fc13a0c8ce5f3ad1e3d637f0814f6785557ee5f
                                                • Opcode Fuzzy Hash: 853b8c0e6d50aec1327ac0db4b8f92bf3e79b87eb7f52b4c39fd0f60c89f02d4
                                                • Instruction Fuzzy Hash: C621C0B59002489FDB10CFAAD584AEEBBF8FB48324F14841AE914A7210D379A954CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F66B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F66BEF
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.606852969.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 0c5cd7dfa57baa765ed52e8ed3a99d5a5ed63203f3fce6d40343423dda2b6a3b
                                                • Instruction ID: e3cc421857067500785502583fa46dfbe9ef48b805b52548e47c9a8f50e80cb5
                                                • Opcode Fuzzy Hash: 0c5cd7dfa57baa765ed52e8ed3a99d5a5ed63203f3fce6d40343423dda2b6a3b
                                                • Instruction Fuzzy Hash: B721D3B5D00248DFDB10CFAAD984ADEBBF8FB48324F14841AE914A7310D375A954DFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F6C1A8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlEncodePointer.NTDLL(00000000), ref: 00F6C222
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.606852969.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                                Similarity
                                                • API ID: EncodePointer
                                                • String ID:
                                                • API String ID: 2118026453-0
                                                • Opcode ID: 6f0e7170eeb8a55aa30d632a2ce4338ba05344eeffae66073cf1c061f55348c9
                                                • Instruction ID: 3a5295a19f2292df860e3da4fd6c73945b0b64e102e02e06864f23a684addaba
                                                • Opcode Fuzzy Hash: 6f0e7170eeb8a55aa30d632a2ce4338ba05344eeffae66073cf1c061f55348c9
                                                • Instruction Fuzzy Hash: 871189719003188FCB20EFEAD5087DEBBF4EB4A724F24842AC449A3201D779A944CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F640AA, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00F64116
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.606852969.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 18daddb7e0a2de411aa6f90d12917c0b2c4c0fed64f1d4643d44a43e9af8955c
                                                • Instruction ID: 9cc5b1cbd84553673606e208dfc2d802e9579af5f8fca67978e45a131dbf4278
                                                • Opcode Fuzzy Hash: 18daddb7e0a2de411aa6f90d12917c0b2c4c0fed64f1d4643d44a43e9af8955c
                                                • Instruction Fuzzy Hash: C81102B5C002498FCB10DF9AD444ADEFBF4EF89324F14852AD419B7600D375A549CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00F63300, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00F64116
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.606852969.0000000000F60000.00000040.00000001.sdmp, Offset: 00F60000, based on PE: false
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 9e48a054cbd8763f5d85db99c0f4fcf53b57aa252b180a6798da2cf032dc57c9
                                                • Instruction ID: 93df735f7953795d34d5aa290d0051d9b5c672245d314de1ff97cc8bc76ad3e7
                                                • Opcode Fuzzy Hash: 9e48a054cbd8763f5d85db99c0f4fcf53b57aa252b180a6798da2cf032dc57c9
                                                • Instruction Fuzzy Hash: 511113B6C006498FCB10EF9AD444BDEFBF4EB89324F14842AD929B7600D375A545CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions