Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report QUOTE 7254.bat

Overview

General Information

Sample Name:QUOTE 7254.bat (renamed file extension from bat to exe)
Analysis ID:502634
MD5:4d0f6d1430135a6779417b51294af53c
SHA1:a473af0c7fa93abf4ee9f780664eee49843ca008
SHA256:810834cae1e8be03e2534968ea0a1132a6d2dd18d8fd3e366c3d9dca3fb05846
Tags:AgentTeslabatexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • QUOTE 7254.exe (PID: 5028 cmdline: 'C:\Users\user\Desktop\QUOTE 7254.exe' MD5: 4D0F6D1430135A6779417B51294AF53C)
    • schtasks.exe (PID: 400 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OgXhLeamRasUa' /XML 'C:\Users\user\AppData\Local\Temp\tmpE381.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • QUOTE 7254.exe (PID: 7020 cmdline: C:\Users\user\Desktop\QUOTE 7254.exe MD5: 4D0F6D1430135A6779417B51294AF53C)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "anams@rapidmail.ec", "Password": "icui4cu2@@", "Host": "mail.rapidmail.ec"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.315370304.00000000034E9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.315370304.00000000034E9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000000.00000002.314916497.00000000025D9000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000006.00000002.560111037.0000000003034000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.315692620.00000000036D2000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.QUOTE 7254.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              6.2.QUOTE 7254.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.QUOTE 7254.exe.36e88d0.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.QUOTE 7254.exe.36e88d0.3.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.QUOTE 7254.exe.25030f8.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                      Click to see the 4 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.QUOTE 7254.exe.3786320.2.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "anams@rapidmail.ec", "Password": "icui4cu2@@", "Host": "mail.rapidmail.ec"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: QUOTE 7254.exeVirustotal: Detection: 13%Perma Link
                      Source: QUOTE 7254.exeReversingLabs: Detection: 13%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\OgXhLeamRasUa.exeReversingLabs: Detection: 13%
                      Source: 6.2.QUOTE 7254.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: QUOTE 7254.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: QUOTE 7254.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: QUOTE 7254.exe, 00000006.00000002.559986480.0000000002F81000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: QUOTE 7254.exe, 00000006.00000002.559986480.0000000002F81000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: QUOTE 7254.exe, 00000006.00000002.559986480.0000000002F81000.00000004.00000001.sdmpString found in binary or memory: http://RSNcbZ.com
                      Source: QUOTE 7254.exe, 00000000.00000003.294629031.000000000558B000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                      Source: QUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: QUOTE 7254.exe, 00000000.00000002.314296675.00000000024E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: QUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: QUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: QUOTE 7254.exe, 00000000.00000002.314296675.00000000024E1000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
                      Source: QUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: QUOTE 7254.exe, 00000000.00000003.300887871.0000000005579000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: QUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: QUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: QUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: QUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: QUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: QUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: QUOTE 7254.exe, 00000000.00000002.316736581.0000000005570000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comepko
                      Source: QUOTE 7254.exe, 00000000.00000002.316736581.0000000005570000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comionm
                      Source: QUOTE 7254.exe, 00000000.00000002.316736581.0000000005570000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
                      Source: QUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: QUOTE 7254.exe, 00000000.00000003.294745041.000000000558B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com-ug6
                      Source: QUOTE 7254.exe, 00000000.00000003.294745041.000000000558B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comW
                      Source: QUOTE 7254.exe, 00000000.00000003.294764684.000000000558B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comr
                      Source: QUOTE 7254.exe, 00000000.00000003.296500677.0000000005574000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.c)
                      Source: QUOTE 7254.exe, 00000000.00000003.296500677.0000000005574000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: QUOTE 7254.exe, 00000000.00000003.296709307.0000000005574000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: QUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: QUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: QUOTE 7254.exe, 00000000.00000003.296709307.0000000005574000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/tp
                      Source: QUOTE 7254.exe, 00000000.00000003.296500677.0000000005574000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnCY
                      Source: QUOTE 7254.exe, 00000000.00000003.296453440.00000000055AD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cns-e
                      Source: QUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: QUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: QUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: QUOTE 7254.exe, 00000000.00000003.298086089.0000000005574000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: QUOTE 7254.exe, 00000000.00000003.298086089.0000000005574000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/5
                      Source: QUOTE 7254.exe, 00000000.00000003.298086089.0000000005574000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/:
                      Source: QUOTE 7254.exe, 00000000.00000003.298086089.0000000005574000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/C
                      Source: QUOTE 7254.exe, 00000000.00000003.298086089.0000000005574000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: QUOTE 7254.exe, 00000000.00000003.298086089.0000000005574000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/t
                      Source: QUOTE 7254.exe, 00000000.00000003.294629031.000000000558B000.00000004.00000001.sdmp, QUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: QUOTE 7254.exe, 00000000.00000003.294629031.000000000558B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comGxz
                      Source: QUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: QUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: QUOTE 7254.exe, 00000000.00000003.295921750.0000000005576000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krF
                      Source: QUOTE 7254.exe, 00000000.00000003.295921750.0000000005576000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krtri
                      Source: QUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: QUOTE 7254.exe, 00000000.00000003.295033022.000000000558B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comc
                      Source: QUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: QUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: QUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: QUOTE 7254.exe, 00000000.00000002.315692620.00000000036D2000.00000004.00000001.sdmp, QUOTE 7254.exe, 00000006.00000002.558003785.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: QUOTE 7254.exe, 00000006.00000002.559986480.0000000002F81000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 6.2.QUOTE 7254.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b041C5864u002d8BC5u002d4FD4u002d8275u002d9B3B73CB91FAu007d/FA9420DDu002d9003u002d4CC1u002d9A6Eu002dDA16936AF8BD.csLarge array initialization: .cctor: array initializer size 11777
                      Source: QUOTE 7254.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeCode function: 0_2_00ADD0640_2_00ADD064
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeCode function: 0_2_00ADF2980_2_00ADF298
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeCode function: 0_2_00ADF2960_2_00ADF296
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeCode function: 6_2_013446A06_2_013446A0
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeCode function: 6_2_013446906_2_01344690
                      Source: QUOTE 7254.exeBinary or memory string: OriginalFilename vs QUOTE 7254.exe
                      Source: QUOTE 7254.exe, 00000000.00000000.292258208.00000000000E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSoapTi.exe6 vs QUOTE 7254.exe
                      Source: QUOTE 7254.exe, 00000000.00000002.315692620.00000000036D2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll< vs QUOTE 7254.exe
                      Source: QUOTE 7254.exe, 00000000.00000002.315692620.00000000036D2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamejOUkZdFMCThYhhcCysTX.exe4 vs QUOTE 7254.exe
                      Source: QUOTE 7254.exeBinary or memory string: OriginalFilename vs QUOTE 7254.exe
                      Source: QUOTE 7254.exe, 00000006.00000002.559218723.00000000011DA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs QUOTE 7254.exe
                      Source: QUOTE 7254.exe, 00000006.00000000.311728017.0000000000A42000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSoapTi.exe6 vs QUOTE 7254.exe
                      Source: QUOTE 7254.exe, 00000006.00000002.558560034.0000000000EF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs QUOTE 7254.exe
                      Source: QUOTE 7254.exe, 00000006.00000002.558104120.0000000000438000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamejOUkZdFMCThYhhcCysTX.exe4 vs QUOTE 7254.exe
                      Source: QUOTE 7254.exeBinary or memory string: OriginalFilenameSoapTi.exe6 vs QUOTE 7254.exe
                      Source: QUOTE 7254.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: OgXhLeamRasUa.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: QUOTE 7254.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: OgXhLeamRasUa.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: QUOTE 7254.exeVirustotal: Detection: 13%
                      Source: QUOTE 7254.exeReversingLabs: Detection: 13%
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeFile read: C:\Users\user\Desktop\QUOTE 7254.exeJump to behavior
                      Source: QUOTE 7254.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\QUOTE 7254.exe 'C:\Users\user\Desktop\QUOTE 7254.exe'
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OgXhLeamRasUa' /XML 'C:\Users\user\AppData\Local\Temp\tmpE381.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess created: C:\Users\user\Desktop\QUOTE 7254.exe C:\Users\user\Desktop\QUOTE 7254.exe
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OgXhLeamRasUa' /XML 'C:\Users\user\AppData\Local\Temp\tmpE381.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess created: C:\Users\user\Desktop\QUOTE 7254.exe C:\Users\user\Desktop\QUOTE 7254.exeJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeFile created: C:\Users\user\AppData\Local\GottschalksJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeFile created: C:\Users\user\AppData\Local\Temp\tmpE381.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/4@0/0
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeMutant created: \Sessions\1\BaseNamedObjects\hnmBLPJLNqlb
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6028:120:WilError_01
                      Source: 6.2.QUOTE 7254.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 6.2.QUOTE 7254.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: QUOTE 7254.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: QUOTE 7254.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: QUOTE 7254.exe, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: OgXhLeamRasUa.exe.0.dr, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.2.QUOTE 7254.exe.e0000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.0.QUOTE 7254.exe.e0000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 6.0.QUOTE 7254.exe.a40000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeCode function: 0_2_00AD203B push ebx; retf 0_2_00AD207A
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeCode function: 0_2_07560298 pushfd ; ret 0_2_07560299
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeCode function: 0_2_07564F4F push FFFFFF8Bh; iretd 0_2_07564F5F
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.85186272039
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.85186272039
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeFile created: C:\Users\user\AppData\Roaming\OgXhLeamRasUa.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OgXhLeamRasUa' /XML 'C:\Users\user\AppData\Local\Temp\tmpE381.tmp'
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.QUOTE 7254.exe.25030f8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.314916497.00000000025D9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.314296675.00000000024E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: QUOTE 7254.exe PID: 5028, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: QUOTE 7254.exe, 00000000.00000002.314916497.00000000025D9000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: QUOTE 7254.exe, 00000000.00000002.314916497.00000000025D9000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\QUOTE 7254.exe TID: 2268Thread sleep time: -43629s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exe TID: 4840Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exe TID: 7080Thread sleep time: -21213755684765971s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exe TID: 7076Thread sleep count: 602 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exe TID: 7076Thread sleep count: 9236 > 30Jump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeWindow / User API: threadDelayed 602Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeWindow / User API: threadDelayed 9236Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeThread delayed: delay time: 43629Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: QUOTE 7254.exe, 00000000.00000002.314916497.00000000025D9000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: QUOTE 7254.exe, 00000000.00000002.314916497.00000000025D9000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: QUOTE 7254.exe, 00000000.00000002.314916497.00000000025D9000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: QUOTE 7254.exe, 00000000.00000002.314916497.00000000025D9000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OgXhLeamRasUa' /XML 'C:\Users\user\AppData\Local\Temp\tmpE381.tmp'Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeProcess created: C:\Users\user\Desktop\QUOTE 7254.exe C:\Users\user\Desktop\QUOTE 7254.exeJump to behavior
                      Source: QUOTE 7254.exe, 00000006.00000002.559662617.0000000001900000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: QUOTE 7254.exe, 00000006.00000002.559662617.0000000001900000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: QUOTE 7254.exe, 00000006.00000002.559662617.0000000001900000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: QUOTE 7254.exe, 00000006.00000002.559662617.0000000001900000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Users\user\Desktop\QUOTE 7254.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Users\user\Desktop\QUOTE 7254.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 6.2.QUOTE 7254.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.QUOTE 7254.exe.36e88d0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.QUOTE 7254.exe.3786320.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.QUOTE 7254.exe.3786320.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.315370304.00000000034E9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.315692620.00000000036D2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.558003785.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.560111037.0000000003034000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.559986480.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: QUOTE 7254.exe PID: 5028, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: QUOTE 7254.exe PID: 7020, type: MEMORYSTR
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\QUOTE 7254.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: Yara matchFile source: 00000006.00000002.559986480.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: QUOTE 7254.exe PID: 7020, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 6.2.QUOTE 7254.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.QUOTE 7254.exe.36e88d0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.QUOTE 7254.exe.3786320.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.QUOTE 7254.exe.3786320.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.315370304.00000000034E9000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.315692620.00000000036D2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.558003785.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.560111037.0000000003034000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.559986480.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: QUOTE 7254.exe PID: 5028, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: QUOTE 7254.exe PID: 7020, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection12Masquerading1OS Credential Dumping1Security Software Discovery311Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerVirtualization/Sandbox Evasion131SMB/Windows Admin SharesData from Local System1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Information Discovery114VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      QUOTE 7254.exe14%VirustotalBrowse
                      QUOTE 7254.exe14%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\OgXhLeamRasUa.exe14%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      6.2.QUOTE 7254.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.fontbureau.comepko0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.collada.org/2005/11/COLLADASchema9Done0%URL Reputationsafe
                      http://www.founder.com.cn/cn/tp0%Avira URL Cloudsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/:0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/50%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.fonts.comr0%Avira URL Cloudsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.sandoll.co.krF0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.fonts.com-ug60%Avira URL Cloudsafe
                      http://www.sandoll.co.krtri0%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://RSNcbZ.com0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cnCY0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/C0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/t0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.fonts.comW0%Avira URL Cloudsafe
                      http://en.w0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.fontbureau.comionm0%Avira URL Cloudsafe
                      http://www.founder.c)0%Avira URL Cloudsafe
                      http://www.fontbureau.comm0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.sajatypeworks.comGxz0%Avira URL Cloudsafe
                      http://www.tiro.comc0%URL Reputationsafe
                      http://www.founder.com.cn/cns-e0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1QUOTE 7254.exe, 00000006.00000002.559986480.0000000002F81000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.fontbureau.com/designersGQUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers/?QUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bTheQUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers?QUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpfalse
                            		high
                            http://www.tiro.comQUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersQUOTE 7254.exe, 00000000.00000003.300887871.0000000005579000.00000004.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.comepkoQUOTE 7254.exe, 00000000.00000002.316736581.0000000005570000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.goodfont.co.krQUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.collada.org/2005/11/COLLADASchema9DoneQUOTE 7254.exe, 00000000.00000002.314296675.00000000024E1000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cn/tpQUOTE 7254.exe, 00000000.00000003.296709307.0000000005574000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.sajatypeworks.comQUOTE 7254.exe, 00000000.00000003.294629031.000000000558B000.00000004.00000001.sdmp, QUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.typography.netDQUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cn/cTheQUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/:QUOTE 7254.exe, 00000000.00000003.298086089.0000000005574000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmQUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://fontfabrik.comQUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/5QUOTE 7254.exe, 00000000.00000003.298086089.0000000005574000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/DPleaseQUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fonts.comQUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpfalse
                                		high
                                http://www.fonts.comrQUOTE 7254.exe, 00000000.00000003.294764684.000000000558B000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.sandoll.co.krQUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sandoll.co.krFQUOTE 7254.exe, 00000000.00000003.295921750.0000000005576000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deDPleaseQUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.zhongyicts.com.cnQUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameQUOTE 7254.exe, 00000000.00000002.314296675.00000000024E1000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.sakkal.comQUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipQUOTE 7254.exe, 00000000.00000002.315692620.00000000036D2000.00000004.00000001.sdmp, QUOTE 7254.exe, 00000006.00000002.558003785.0000000000402000.00000040.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fonts.com-ug6QUOTE 7254.exe, 00000000.00000003.294745041.000000000558B000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.apache.org/licenses/LICENSE-2.0QUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.fontbureau.comQUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.sandoll.co.krtriQUOTE 7254.exe, 00000000.00000003.295921750.0000000005576000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://DynDns.comDynDNSQUOTE 7254.exe, 00000006.00000002.559986480.0000000002F81000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haQUOTE 7254.exe, 00000006.00000002.559986480.0000000002F81000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://RSNcbZ.comQUOTE 7254.exe, 00000006.00000002.559986480.0000000002F81000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.founder.com.cn/cnCYQUOTE 7254.exe, 00000000.00000003.296500677.0000000005574000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/CQUOTE 7254.exe, 00000000.00000003.298086089.0000000005574000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/jp/tQUOTE 7254.exe, 00000000.00000003.298086089.0000000005574000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/jp/QUOTE 7254.exe, 00000000.00000003.298086089.0000000005574000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fonts.comWQUOTE 7254.exe, 00000000.00000003.294745041.000000000558B000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://en.wQUOTE 7254.exe, 00000000.00000003.294629031.000000000558B000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.carterandcone.comlQUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cn/QUOTE 7254.exe, 00000000.00000003.296709307.0000000005574000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/cabarga.htmlNQUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cnQUOTE 7254.exe, 00000000.00000003.296500677.0000000005574000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/frere-jones.htmlQUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.comionmQUOTE 7254.exe, 00000000.00000002.316736581.0000000005570000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.founder.c)QUOTE 7254.exe, 00000000.00000003.296500677.0000000005574000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          http://www.fontbureau.commQUOTE 7254.exe, 00000000.00000002.316736581.0000000005570000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/QUOTE 7254.exe, 00000000.00000003.298086089.0000000005574000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers8QUOTE 7254.exe, 00000000.00000002.316952601.0000000006782000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.sajatypeworks.comGxzQUOTE 7254.exe, 00000000.00000003.294629031.000000000558B000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.tiro.comcQUOTE 7254.exe, 00000000.00000003.295033022.000000000558B000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.cn/cns-eQUOTE 7254.exe, 00000000.00000003.296453440.00000000055AD000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown

                                            Contacted IPs

                                            No contacted IP infos

                                            General Information

                                            Joe Sandbox Version:33.0.0 White Diamond
                                            Analysis ID:502634
                                            Start date:14.10.2021
                                            Start time:07:47:09
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 7m 53s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Sample file name:QUOTE 7254.bat (renamed file extension from bat to exe)
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:23
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.spyw.evad.winEXE@6/4@0/0
                                            EGA Information:Failed
                                            HDC Information:
                                            • Successful, ratio: 0.5% (good quality ratio 0.3%)
                                            • Quality average: 40.5%
                                            • Quality standard deviation: 37%
                                            HCA Information:
                                            • Successful, ratio: 100%
                                            • Number of executed functions: 18
                                            • Number of non-executed functions: 3
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            Warnings:
                                            Show All
                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                            • Excluded IPs from analysis (whitelisted): 20.50.102.62, 20.54.110.249, 40.112.88.60, 52.251.79.25, 8.248.137.254, 67.27.157.126, 8.248.143.254, 8.248.117.254, 8.248.135.254, 20.199.120.85, 2.20.178.33, 2.20.178.24, 20.199.120.182, 20.82.209.183
                                            • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, wu-shim.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            07:48:13API Interceptor787x Sleep call for process: QUOTE 7254.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            No context

                                            Domains

                                            No context

                                            ASN

                                            No context

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTE 7254.exe.log
                                            Process:C:\Users\user\Desktop\QUOTE 7254.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:modified
                                            Size (bytes):1308
                                            Entropy (8bit):5.348115897127242
                                            Encrypted:false
                                            SSDEEP:24:MLUE4KJXE4qpE4Ks2E1qE4qpAE4Kzr7RKDE4KhK3VZ9pKhPKIE4oKFKHKorE4x88:MIHKtH2HKXE1qHmAHKzvRYHKhQnoPtH2
                                            MD5:832D6A22CE7798D72609B9C21B4AF152
                                            SHA1:B086DE927BFEE6039F5555CE53C397D1E59B4CA4
                                            SHA-256:9E5EE72EF293C66406AF155572BF3B0CF9DA09CC1F60ED6524AAFD65553CE551
                                            SHA-512:A1A70F76B98C2478830AE737B4F12507D859365F046C5A415E1EBE3D87FFD2B64663A31E1E5142F7C3A7FE9A6A9CB8C143C2E16E94C3DD6041D1CCABEDDD2C21
                                            Malicious:true
                                            Reputation:moderate, very likely benign file
                                            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows
                                            C:\Users\user\AppData\Local\Temp\tmpE381.tmp
                                            Process:C:\Users\user\Desktop\QUOTE 7254.exe
                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1646
                                            Entropy (8bit):5.187281476403803
                                            Encrypted:false
                                            SSDEEP:24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBMtn:cbh47TlNQ//rydbz9I3YODOLNdq3g
                                            MD5:1385551B6E7BA262A26E79D9DC4BCBF8
                                            SHA1:462D9710631E60FEC0309EF59E32098B8C4E0D08
                                            SHA-256:A452EE129B69E2679617EE22235B297CB8987548A21C8C314F2A0B723C6E0CAB
                                            SHA-512:11ED65279FC9750A912DE4B67543A15DD4A9397F100FE78AE0579D502C6D5932E0F70543FAAF5C9FD6E995AC81200DC2DA5FE49631F22F2D5989CBD37D3553CA
                                            Malicious:true
                                            Reputation:low
                                            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
                                            C:\Users\user\AppData\Roaming\OgXhLeamRasUa.exe
                                            Process:C:\Users\user\Desktop\QUOTE 7254.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):591872
                                            Entropy (8bit):7.623758179121773
                                            Encrypted:false
                                            SSDEEP:12288:jNUPCwBZCxvEa0mQcHquNArHutWMYlHqQAYYXmQF5epOEtDSB/A:6ZgvEa0BequNArOtYEVhXm9pj2B/
                                            MD5:4D0F6D1430135A6779417B51294AF53C
                                            SHA1:A473AF0C7FA93ABF4EE9F780664EEE49843CA008
                                            SHA-256:810834CAE1E8BE03E2534968EA0A1132A6D2DD18D8FD3E366C3D9DCA3FB05846
                                            SHA-512:67F89029D4185A8335303D43EEE87AAE9CD5E2C7FAF6F7F67B32116B5D27DAAE9E71BD48132C066B3B7A57D63430334CE073E818FCEBE0E50C0114A0196CCBE6
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 14%
                                            Reputation:low
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....fa..............0..v............... ........@.. .......................`............@.................................H...O.......|....................@....................................................... ............... ..H............text....t... ...v.................. ..`.rsrc...|............x..............@..@.reloc.......@......................@..B................|.......H.......Lb...O......Y...X................................................0..V.........}......*.*s....}......}......}.....(.......(......{....r...po......{....r...po.....*...0.............(....&.{.........,....8....sA...%.{.....|....(....Z.{.....|....(....Z . &.s....} ...%.}......{ ...(.........(....o........+c...+C.....X.].......,+..(.......{....Z...{....Z.{.....{....o ........X.....|....(..........-....X.....|....(..........-......,...o!.....sB........|....(.....|....(....s"
                                            C:\Users\user\AppData\Roaming\OgXhLeamRasUa.exe:Zone.Identifier
                                            Process:C:\Users\user\Desktop\QUOTE 7254.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):26
                                            Entropy (8bit):3.95006375643621
                                            Encrypted:false
                                            SSDEEP:3:ggPYV:rPYV
                                            MD5:187F488E27DB4AF347237FE461A079AD
                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview: [ZoneTransfer]....ZoneId=0

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.623758179121773
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            • DOS Executable Generic (2002/1) 0.01%
                                            File name:QUOTE 7254.exe
                                            File size:591872
                                            MD5:4d0f6d1430135a6779417b51294af53c
                                            SHA1:a473af0c7fa93abf4ee9f780664eee49843ca008
                                            SHA256:810834cae1e8be03e2534968ea0a1132a6d2dd18d8fd3e366c3d9dca3fb05846
                                            SHA512:67f89029d4185a8335303d43eee87aae9cd5e2c7faf6f7f67b32116b5d27daae9e71bd48132c066b3b7a57d63430334ce073e818fcebe0e50c0114a0196ccbe6
                                            SSDEEP:12288:jNUPCwBZCxvEa0mQcHquNArHutWMYlHqQAYYXmQF5epOEtDSB/A:6ZgvEa0BequNArOtYEVhXm9pj2B/
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....fa..............0..v............... ........@.. .......................`............@................................

                                            File Icon

                                            Icon Hash:c4b28ed696aa92c0

                                            Static PE Info

                                            General

                                            Entrypoint:0x47949a
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                            Time Stamp:0x61668D0A [Wed Oct 13 07:38:50 2021 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:v4.0.30319
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x794480x4f.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x7a0000x18c7c.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x940000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000x774a00x77600False0.909890379581data7.85186272039IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                            .rsrc0x7a0000x18c7c0x18e00False0.195253611809data5.0688560408IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x940000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountry
                                            RT_ICON0x7a1800x468GLS_BINARY_LSB_FIRST
                                            RT_ICON0x7a5f80x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                            RT_ICON0x7b6b00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                            RT_ICON0x7dc680x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                            RT_ICON0x81ea00x10828dBase III DBT, version number 0, next free block index 40
                                            RT_GROUP_ICON0x926d80x4cdata
                                            RT_VERSION0x927340x348data
                                            RT_MANIFEST0x92a8c0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Version Infos

                                            DescriptionData
                                            Translation0x0000 0x04b0
                                            LegalCopyrightCopyright Gottschalks 2011
                                            Assembly Version1.0.0.0
                                            InternalNameSoapTi.exe
                                            FileVersion1.0.0.0
                                            CompanyNameGottschalks
                                            LegalTrademarks
                                            Comments
                                            ProductNameMapEditor1
                                            ProductVersion1.0.0.0
                                            FileDescriptionMapEditor1
                                            OriginalFilenameSoapTi.exe

                                            Network Behavior

                                            No network behavior found

                                            Code Manipulations

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            Analysis Process: QUOTE 7254.exe PID: 5028 Parent PID: 3424

                                            General

                                            Start time:07:48:07
                                            Start date:14/10/2021
                                            Path:C:\Users\user\Desktop\QUOTE 7254.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Users\user\Desktop\QUOTE 7254.exe'
                                            Imagebase:0xe0000
                                            File size:591872 bytes
                                            MD5 hash:4D0F6D1430135A6779417B51294AF53C
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.315370304.00000000034E9000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.315370304.00000000034E9000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.314916497.00000000025D9000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.315692620.00000000036D2000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.315692620.00000000036D2000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.314296675.00000000024E1000.00000004.00000001.sdmp, Author: Joe Security
                                            Reputation:low

                                            Chronological Activities

                                            Analysis Process: schtasks.exe PID: 400 Parent PID: 5028

                                            General

                                            Start time:07:48:15
                                            Start date:14/10/2021
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OgXhLeamRasUa' /XML 'C:\Users\user\AppData\Local\Temp\tmpE381.tmp'
                                            Imagebase:0x100000
                                            File size:185856 bytes
                                            MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Chronological Activities

                                            Analysis Process: conhost.exe PID: 6028 Parent PID: 400

                                            General

                                            Start time:07:48:16
                                            Start date:14/10/2021
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7f20f0000
                                            File size:625664 bytes
                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Chronological Activities

                                            Analysis Process: QUOTE 7254.exe PID: 7020 Parent PID: 5028

                                            General

                                            Start time:07:48:16
                                            Start date:14/10/2021
                                            Path:C:\Users\user\Desktop\QUOTE 7254.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\Desktop\QUOTE 7254.exe
                                            Imagebase:0xa40000
                                            File size:591872 bytes
                                            MD5 hash:4D0F6D1430135A6779417B51294AF53C
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.560111037.0000000003034000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.558003785.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000002.558003785.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.559986480.0000000002F81000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.559986480.0000000002F81000.00000004.00000001.sdmp, Author: Joe Security
                                            Reputation:low

                                            Chronological Activities

                                            Disassembly

                                            Code Analysis

                                            Reset < >

                                              Analysis Process: QUOTE 7254.exe PID: 5028 Parent PID: 3424 QUOTE 7254.exeCOMMON

                                              Executed Functions

                                              Function 00ADA2D0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 196COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00ADA516
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.313784947.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID: @Ot$@Ot
                                              • API String ID: 4139908857-1417152503
                                              • Opcode ID: 3afa9455fa9f39fd1608e68386f1f23615e3452ea994f25a3b4709fbfa4d7de0
                                              • Instruction ID: ecf2376e5e3cd87aa4c8b0184d1d7114f935cd24c5b661ae592e27c0604ff7bd
                                              • Opcode Fuzzy Hash: 3afa9455fa9f39fd1608e68386f1f23615e3452ea994f25a3b4709fbfa4d7de0
                                              • Instruction Fuzzy Hash: C4711470A00B058FD724DF6AD14579ABBF6BF88314F00892ED48ADBB50DB74E9458B92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00ADC7F0, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                              Download Yara Rule
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00ADC7BE,?,?,?,?,?), ref: 00ADC87F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.313784947.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: ba85c323fae7f2ce96c0a569b55856d41c5d83975acdd5dccec4df2af9912bab
                                              • Instruction ID: 93383148dfb6b63b1565e65d4768ef5b17dda90c3c4f2631055707929eeb6e88
                                              • Opcode Fuzzy Hash: ba85c323fae7f2ce96c0a569b55856d41c5d83975acdd5dccec4df2af9912bab
                                              • Instruction Fuzzy Hash: DA2116B5D01209DFDB10CFA9D484ADEBBF8FB48320F14841AE815A3710D7789945CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00ADAFFC, Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                              Download Yara Rule
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00ADC7BE,?,?,?,?,?), ref: 00ADC87F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.313784947.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 0f8b756318ee60d02d3e457bc9319f4e1e3615cff17a62e080b9657af2a46948
                                              • Instruction ID: 5e0050e77b0cf783197bc46523f6701ce304810603f55854ebd847bbba8c22f0
                                              • Opcode Fuzzy Hash: 0f8b756318ee60d02d3e457bc9319f4e1e3615cff17a62e080b9657af2a46948
                                              • Instruction Fuzzy Hash: 7C21E5B5900209EFDB10CF99D584ADEBBF8EB48324F14841AE915A7310D774A954CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00AD9DA0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00ADA591,00000800,00000000,00000000), ref: 00ADA7A2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.313784947.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: fdc77930b0003f02c85add7341c901a31cd7ecf1df7fd2a09d342016a021264e
                                              • Instruction ID: 7526ee78bf212f8e5f1094b7ac9f723db03bfffc6a86fc40d4f61fe64d76c224
                                              • Opcode Fuzzy Hash: fdc77930b0003f02c85add7341c901a31cd7ecf1df7fd2a09d342016a021264e
                                              • Instruction Fuzzy Hash: 5D11E7B69003099FDB10CF9AD448ADEFBF4EB98314F14842ED416A7700C375A945CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00ADA731, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00ADA591,00000800,00000000,00000000), ref: 00ADA7A2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.313784947.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: ddc0d2f30cc7f746ba8396086d7ae7d36f0df17d7a9bcc30069f479be001067c
                                              • Instruction ID: 1b0ac3fc922b8e76681fc606c8c6f774dc60898288269bd5426c7c35379b6ea7
                                              • Opcode Fuzzy Hash: ddc0d2f30cc7f746ba8396086d7ae7d36f0df17d7a9bcc30069f479be001067c
                                              • Instruction Fuzzy Hash: E811E2B69002498FDB14CFAAD584ADEFBF4AF58324F14852ED81AA7700C374A945CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07562E18, Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,?,?,?), ref: 07562E7D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.318320846.0000000007560000.00000040.00000001.sdmp, Offset: 07560000, based on PE: false
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: f1b6992186fcfebaed8784e5e4a1eb783d2992e9d5c29545533e15a66e35af4a
                                              • Instruction ID: 4a5dbf52b09f4a81b3071ff5b2fd54b99020498f812a77f58f80c14b10af11de
                                              • Opcode Fuzzy Hash: f1b6992186fcfebaed8784e5e4a1eb783d2992e9d5c29545533e15a66e35af4a
                                              • Instruction Fuzzy Hash: A41106B58003099FDB10CF99D489BDEBFF4FB48320F20851AD418A7600C375A945CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00ADA4B0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00ADA516
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.313784947.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 5a9e7a38345b4f9ba8ed82ade4a21efce756101087969a8a74a7cf2a28421f91
                                              • Instruction ID: 38ce4b56ae754af77aa95230a46b0f7265f8f6ee222c87cdb8748e60f15dda67
                                              • Opcode Fuzzy Hash: 5a9e7a38345b4f9ba8ed82ade4a21efce756101087969a8a74a7cf2a28421f91
                                              • Instruction Fuzzy Hash: 4711DFB5C006498FDB20CF9AD448ADEFBF4AB88324F14852AD42AA7700D374A545CFA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 07562E20, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,?,?,?), ref: 07562E7D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.318320846.0000000007560000.00000040.00000001.sdmp, Offset: 07560000, based on PE: false
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: e42c35cbe2cc31b78357488c70de344bc769adafc0d0e1389783c76e98b8ac40
                                              • Instruction ID: b546149bd5960fca195a1ab9b18d07e9954bb4ee8ee24ff8bbb7ac6b0c2a907e
                                              • Opcode Fuzzy Hash: e42c35cbe2cc31b78357488c70de344bc769adafc0d0e1389783c76e98b8ac40
                                              • Instruction Fuzzy Hash: 1F11E5B5800349DFDB10CF9AD588BDEBBF8FB48324F14841AD919A7600D374A944CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Function 00ADF298, Relevance: .3, Instructions: 315COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.313784947.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 188b3b09ce536a2a92623d4f143568d5108c4b037067e756dbea340d2b356f7a
                                              • Instruction ID: 0f82ee50938ded5ab5389fc3d42df27495f30b9a9c11beb4701aeddb6270f3b1
                                              • Opcode Fuzzy Hash: 188b3b09ce536a2a92623d4f143568d5108c4b037067e756dbea340d2b356f7a
                                              • Instruction Fuzzy Hash: 351239F1C917468BD711CF66E8E81893BB8B745328FD04B0AD2611FAD9D3B8146ACF64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00ADD064, Relevance: .3, Instructions: 265COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.313784947.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 002407708952e910fba740b4792fa88cf42060fb8b8bb4f6a7211f07c3746e4f
                                              • Instruction ID: 32c54d73b59eb38c2fa7896e7503b86cb09dd80cc3dda5b420126485ab348c37
                                              • Opcode Fuzzy Hash: 002407708952e910fba740b4792fa88cf42060fb8b8bb4f6a7211f07c3746e4f
                                              • Instruction Fuzzy Hash: A5A15C36E0021A8FCF15DFB5C9845DEBBB2FF85300B15856AE906BB321EB31A955CB40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00ADF296, Relevance: .2, Instructions: 214COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.313784947.0000000000AD0000.00000040.00000001.sdmp, Offset: 00AD0000, based on PE: false
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9b4d0ac9c1f5372278e89cf6f1ea33c150ecf5aea286219f18f654d917d083b8
                                              • Instruction ID: f36bfa7cff70c26d4ac637ab7ce8b697b169859614e0629df4e69f96de8e7bf7
                                              • Opcode Fuzzy Hash: 9b4d0ac9c1f5372278e89cf6f1ea33c150ecf5aea286219f18f654d917d083b8
                                              • Instruction Fuzzy Hash: A1C180F1C917458BD701DF66E8E81893BB9BB85328FD04B0AD2212F6D8D7B4146ACF64
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Analysis Process: QUOTE 7254.exe PID: 7020 Parent PID: 5028 QUOTE 7254.exeCOMMON

                                              Executed Functions

                                              Function 01346903, Relevance: 6.1, APIs: 4, Instructions: 148threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 013469A0
                                              • GetCurrentThread.KERNEL32 ref: 013469DD
                                              • GetCurrentProcess.KERNEL32 ref: 01346A1A
                                              • GetCurrentThreadId.KERNEL32 ref: 01346A73
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.559519322.0000000001340000.00000040.00000001.sdmp, Offset: 01340000, based on PE: false
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: 299997650c310074d2dd60d9b86865d284eabb1c22c473efad32a6ce0015628f
                                              • Instruction ID: 51932bf466cc2b2a0bbc14989e7132a4ec21e5c476d9a3219b6aef684d3018fe
                                              • Opcode Fuzzy Hash: 299997650c310074d2dd60d9b86865d284eabb1c22c473efad32a6ce0015628f
                                              • Instruction Fuzzy Hash: F351BBB09047858FDB11CFA9D958BDEBFF0EF4A308F24889AD044AB351C7346888CB65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01346940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 013469A0
                                              • GetCurrentThread.KERNEL32 ref: 013469DD
                                              • GetCurrentProcess.KERNEL32 ref: 01346A1A
                                              • GetCurrentThreadId.KERNEL32 ref: 01346A73
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.559519322.0000000001340000.00000040.00000001.sdmp, Offset: 01340000, based on PE: false
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: 7fa1e8f25fe10b2426cdbf8f7471189eb5739027af74ca7f50b7504a8a6de75c
                                              • Instruction ID: 59b30e29d44178e940f7cbd3a8a7414d49b2ee64108ddeffeeda904cf20b2fbc
                                              • Opcode Fuzzy Hash: 7fa1e8f25fe10b2426cdbf8f7471189eb5739027af74ca7f50b7504a8a6de75c
                                              • Instruction Fuzzy Hash: D65145B49006498FEB14CFAAC648BDEBBF4EF89318F208459E459A7350D774A884CF65
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01345084, Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 013451A2
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.559519322.0000000001340000.00000040.00000001.sdmp, Offset: 01340000, based on PE: false
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: 94f6a4fe33781730f21d68e500afb9aea4a027452354adaa83b052279edbc545
                                              • Instruction ID: 107c15f94b77c93e2ec7c8be7eb5f741907c57ca8195e67ea932ba812d10ca67
                                              • Opcode Fuzzy Hash: 94f6a4fe33781730f21d68e500afb9aea4a027452354adaa83b052279edbc545
                                              • Instruction Fuzzy Hash: 3951B0B1D103199FDF14CF99C884ADEBBF5BF48314F24852AE819AB210D775A985CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01345090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 013451A2
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.559519322.0000000001340000.00000040.00000001.sdmp, Offset: 01340000, based on PE: false
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: d1f0b0ad39d26849f58642842b66b31bcc0cd9618d984d23c312883a6f8493d4
                                              • Instruction ID: ecaac779bdb7f546963eb4e86f727b1f0c3ea44bafb52281771d0a7dbad55130
                                              • Opcode Fuzzy Hash: d1f0b0ad39d26849f58642842b66b31bcc0cd9618d984d23c312883a6f8493d4
                                              • Instruction Fuzzy Hash: F34190B1D103099FDF14CF9AC884ADEBBF5BF48314F64852AE819AB210D775A945CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01347780, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                              Download Yara Rule
                                              APIs
                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 01347F01
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.559519322.0000000001340000.00000040.00000001.sdmp, Offset: 01340000, based on PE: false
                                              Similarity
                                              • API ID: CallProcWindow
                                              • String ID:
                                              • API String ID: 2714655100-0
                                              • Opcode ID: 990f65ae7571db7c444fb9f0553ce3a4cb0eeb71937bdb35a11d5ad682a3840f
                                              • Instruction ID: 90274d2c961aebe1f54b3a939a1d46477730cbdbf7b010b2c95b843e6aefd02b
                                              • Opcode Fuzzy Hash: 990f65ae7571db7c444fb9f0553ce3a4cb0eeb71937bdb35a11d5ad682a3840f
                                              • Instruction Fuzzy Hash: 80411DB5900305CFDB14CF99C488A9ABBF5FF88318F24C559E519A7321D774A945CFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01346B61, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01346BEF
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.559519322.0000000001340000.00000040.00000001.sdmp, Offset: 01340000, based on PE: false
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 68ac3344d742e81be936565a8501fdf529f351fcede46a848aaa61f3257385a0
                                              • Instruction ID: af5bb850b136ad303321257aa1538c6c49ef85f1a36d686f4523007b43677fd1
                                              • Opcode Fuzzy Hash: 68ac3344d742e81be936565a8501fdf529f351fcede46a848aaa61f3257385a0
                                              • Instruction Fuzzy Hash: D721E4B59002489FDB10CFA9D584AEEBFF4EB49324F14842AE914A3310D378A954CF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01346B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01346BEF
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.559519322.0000000001340000.00000040.00000001.sdmp, Offset: 01340000, based on PE: false
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 4242cb43c4bb6210c79fb066ea2b95e1bab9104662aadd1711fb76e2b5e74bc3
                                              • Instruction ID: 685a015c0ea57fa8ff6646a1874cef8505564946d6a826943d85f85995ecd629
                                              • Opcode Fuzzy Hash: 4242cb43c4bb6210c79fb066ea2b95e1bab9104662aadd1711fb76e2b5e74bc3
                                              • Instruction Fuzzy Hash: 5C21D3B5D00248DFDB10CFAAD984ADEBBF8FB49324F14841AE914A3310D378A954CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0134C198, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlEncodePointer.NTDLL(00000000), ref: 0134C212
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.559519322.0000000001340000.00000040.00000001.sdmp, Offset: 01340000, based on PE: false
                                              Similarity
                                              • API ID: EncodePointer
                                              • String ID:
                                              • API String ID: 2118026453-0
                                              • Opcode ID: 1de50a25f4cbf4cb47b493d1c0761a4610f9d0f1ddc4621cd1189a5f47d75bb4
                                              • Instruction ID: f2a8ae70b46b00deb312ff2c8681a504ba7c8ef5c6eb203beaa720b498a0c8da
                                              • Opcode Fuzzy Hash: 1de50a25f4cbf4cb47b493d1c0761a4610f9d0f1ddc4621cd1189a5f47d75bb4
                                              • Instruction Fuzzy Hash: B2117C71D4230A8FDB10DFA9D54879EBBF4EB49318F24882AD409A7700C779A944CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 013432D8, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 01344116
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.559519322.0000000001340000.00000040.00000001.sdmp, Offset: 01340000, based on PE: false
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 031171c10b1e6863c13cf317ae877d42000cbb10665c60993882662fc641efcf
                                              • Instruction ID: adb7723a0e905ffa61df2e42ae42d12cce4ad10a6ab21e10e98fea8a0ca5cce1
                                              • Opcode Fuzzy Hash: 031171c10b1e6863c13cf317ae877d42000cbb10665c60993882662fc641efcf
                                              • Instruction Fuzzy Hash: 451102B6D006498FDB20DF9AC444BDEFBF4EB49328F14842AD929B7600D379A545CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 013440AB, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 01344116
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.559519322.0000000001340000.00000040.00000001.sdmp, Offset: 01340000, based on PE: false
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: ceb11e87be19a34854fa35bf155795846180377e8bd8df9cfaaba79c1ea491f0
                                              • Instruction ID: 4e0c5defbb4ad5f283d9ba231c3b325a7e1462c3e17f737b4df90f5c6e4f388b
                                              • Opcode Fuzzy Hash: ceb11e87be19a34854fa35bf155795846180377e8bd8df9cfaaba79c1ea491f0
                                              • Instruction Fuzzy Hash: AC11F3B59006498BDB10CF9AC448BDEFBF4EB49314F15842AD429B7600D379A545CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions