Loading ...

Play interactive tourEdit tour

Windows Analysis Report IMAGE_0004.bat

Overview

General Information

Sample Name:IMAGE_0004.bat (renamed file extension from bat to exe)
Analysis ID:502635
MD5:3722d60a637a0c27261a839a04d7d4d2
SHA1:3933f5a2ea8b486ff8247e30d228e00d17f39e3f
SHA256:add10727ec98dd291126c26b084300c9c050722305e19ba54e8bd564897da586
Tags:AgentTeslabatexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected AgentTesla
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Moves itself to temp directory
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • IMAGE_0004.exe (PID: 7060 cmdline: 'C:\Users\user\Desktop\IMAGE_0004.exe' MD5: 3722D60A637A0C27261A839A04D7D4D2)
    • schtasks.exe (PID: 6396 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\guqslNCu' /XML 'C:\Users\user\AppData\Local\Temp\tmp4781.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • IMAGE_0004.exe (PID: 4228 cmdline: {path} MD5: 3722D60A637A0C27261A839A04D7D4D2)
  • jNnIJrO.exe (PID: 6288 cmdline: 'C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe' MD5: 3722D60A637A0C27261A839A04D7D4D2)
    • schtasks.exe (PID: 4876 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\guqslNCu' /XML 'C:\Users\user\AppData\Local\Temp\tmp42C9.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • jNnIJrO.exe (PID: 1440 cmdline: {path} MD5: 3722D60A637A0C27261A839A04D7D4D2)
  • jNnIJrO.exe (PID: 6612 cmdline: 'C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe' MD5: 3722D60A637A0C27261A839A04D7D4D2)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "shyam@msjfurniturewll.com", "Password": "abc@1234!5", "Host": "mail.msjfurniturewll.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.924499413.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000007.00000002.924499413.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000015.00000002.926831136.0000000002CC1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000015.00000002.926831136.0000000002CC1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000015.00000002.924479714.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            21.2.jNnIJrO.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              21.2.jNnIJrO.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                7.2.IMAGE_0004.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  7.2.IMAGE_0004.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security

                    Sigma Overview

                    No Sigma rule has matched

                    Jbx Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: 21.2.jNnIJrO.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "shyam@msjfurniturewll.com", "Password": "abc@1234!5", "Host": "mail.msjfurniturewll.com"}
                    Source: 21.2.jNnIJrO.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 7.2.IMAGE_0004.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: IMAGE_0004.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: IMAGE_0004.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: IMAGE_0004.exe, 00000007.00000002.926571605.0000000003011000.00000004.00000001.sdmp, jNnIJrO.exe, 00000015.00000002.926831136.0000000002CC1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: jNnIJrO.exe, 00000015.00000002.926831136.0000000002CC1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                    Source: jNnIJrO.exe, 00000015.00000002.926831136.0000000002CC1000.00000004.00000001.sdmpString found in binary or memory: http://MuKFQF.com
                    Source: IMAGE_0004.exe, 00000007.00000002.926571605.0000000003011000.00000004.00000001.sdmpString found in binary or memory: http://Ta32N99jPM5hmB3Q0v.com
                    Source: IMAGE_0004.exe, 00000007.00000003.915498999.00000000011C4000.00000004.00000001.sdmpString found in binary or memory: http://Ta32N99jPM5hmB3Q0v.com1-5-21-3853321935-2125563209-4053062332-1002_Classes
                    Source: IMAGE_0004.exe, 00000007.00000002.928079977.000000000337B000.00000004.00000001.sdmpString found in binary or memory: http://mail.msjfurniturewll.com
                    Source: IMAGE_0004.exe, 00000007.00000002.928079977.000000000337B000.00000004.00000001.sdmpString found in binary or memory: http://msjfurniturewll.com
                    Source: IMAGE_0004.exe, 00000007.00000002.926571605.0000000003011000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                    Source: jNnIJrO.exe, 00000015.00000002.926831136.0000000002CC1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                    Source: IMAGE_0004.exe, 00000007.00000002.924499413.0000000000402000.00000040.00000001.sdmp, jNnIJrO.exe, 00000015.00000002.924479714.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                    Source: IMAGE_0004.exe, 00000007.00000002.926571605.0000000003011000.00000004.00000001.sdmp, jNnIJrO.exe, 00000015.00000002.926831136.0000000002CC1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                    Source: unknownDNS traffic detected: queries for: mail.msjfurniturewll.com
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                    System Summary:

                    barindex
                    Initial sample is a PE file and has a suspicious nameShow sources
                    Source: initial sampleStatic PE information: Filename: IMAGE_0004.exe
                    .NET source code contains very large array initializationsShow sources
                    Source: 21.2.jNnIJrO.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bB0E0C035u002dC53Du002d4DB1u002dA47Cu002dAEC67729B443u007d/C228C764u002dBDD0u002d47DEu002dB2A4u002d8F104530BEE4.csLarge array initialization: .cctor: array initializer size 11959
                    Source: IMAGE_0004.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_2_00C820507_2_00C82050
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_2_014961207_2_01496120
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_2_0149ED887_2_0149ED88
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_2_01492DA07_2_01492DA0
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_2_014924907_2_01492490
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_2_0149BE207_2_0149BE20
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 21_2_007D205021_2_007D2050
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 21_2_012346A021_2_012346A0
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 21_2_0123467221_2_01234672
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 21_2_0123469021_2_01234690
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 21_2_0123D30021_2_0123D300
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 21_2_007D4CE421_2_007D4CE4
                    Source: IMAGE_0004.exe, 00000000.00000000.657245795.0000000001098000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLqaa.exe> vs IMAGE_0004.exe
                    Source: IMAGE_0004.exe, 00000007.00000002.924897767.0000000000D38000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLqaa.exe> vs IMAGE_0004.exe
                    Source: IMAGE_0004.exe, 00000007.00000002.924499413.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameJpYQZpZGRmbGzdwlkADyMMjo.exe4 vs IMAGE_0004.exe
                    Source: IMAGE_0004.exe, 00000007.00000002.925867539.000000000139A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs IMAGE_0004.exe
                    Source: IMAGE_0004.exeBinary or memory string: OriginalFilenameLqaa.exe> vs IMAGE_0004.exe
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeFile read: C:\Users\user\Desktop\IMAGE_0004.exeJump to behavior
                    Source: IMAGE_0004.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\IMAGE_0004.exe 'C:\Users\user\Desktop\IMAGE_0004.exe'
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\guqslNCu' /XML 'C:\Users\user\AppData\Local\Temp\tmp4781.tmp'
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess created: C:\Users\user\Desktop\IMAGE_0004.exe {path}
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe 'C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe'
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe 'C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe'
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\guqslNCu' /XML 'C:\Users\user\AppData\Local\Temp\tmp42C9.tmp'
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess created: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe {path}
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\guqslNCu' /XML 'C:\Users\user\AppData\Local\Temp\tmp4781.tmp'Jump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess created: C:\Users\user\Desktop\IMAGE_0004.exe {path}Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\guqslNCu' /XML 'C:\Users\user\AppData\Local\Temp\tmp42C9.tmp'Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess created: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe {path}Jump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeFile created: C:\Users\user\AppData\Roaming\guqslNCu.exeJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeFile created: C:\Users\user\AppData\Local\Temp\tmp4781.tmpJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@13/6@2/0
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: IMAGE_0004.exe, 00000000.00000000.657135369.0000000000FE2000.00000002.00020000.sdmp, IMAGE_0004.exe, 00000007.00000002.924695261.0000000000C82000.00000002.00020000.sdmp, jNnIJrO.exe, 0000000E.00000000.779159610.0000000000482000.00000002.00020000.sdmp, jNnIJrO.exe, 00000010.00000000.796353165.0000000000362000.00000002.00020000.sdmp, jNnIJrO.exe, 00000015.00000000.847950677.00000000007D2000.00000002.00020000.sdmpBinary or memory string: INSERT INTO RolPermiso(RolPermiso_rol, RolPermiso_permiso) VALUES (;Error - Nuevo - RolPermisoDAL
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeMutant created: \Sessions\1\BaseNamedObjects\AtgSlQoHX
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6384:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6244:120:WilError_01
                    Source: 21.2.jNnIJrO.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 21.2.jNnIJrO.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: IMAGE_0004.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: IMAGE_0004.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_3_0142B941 push edx; retf 7_3_0142B996
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_3_0142B941 push edx; retf 7_3_0142B996
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_3_0142B577 push edx; retf 7_3_0142B57E
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_3_0142B577 push edx; retf 7_3_0142B57E
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_3_0142B53B push ss; retf 7_3_0142B562
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_3_0142B53B push ss; retf 7_3_0142B562
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_3_01425B91 push edx; retf 7_3_01425CAE
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_3_014251A8 push edx; retf 7_3_014251BE
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_3_0141FE45 push edx; retf 7_3_0141FE5E
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_3_01425251 push edx; retf 7_3_01425286
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_3_0142B473 push edx; retf 7_3_0142B486
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_3_0142B473 push edx; retf 7_3_0142B486
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_3_0142B6E2 push ss; retf 7_3_0142B712
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_3_0142B6E2 push ss; retf 7_3_0142B712
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_3_0142B89E push edx; retf 7_3_0142B8A6
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_3_0142B89E push edx; retf 7_3_0142B8A6
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_3_0142B941 push edx; retf 7_3_0142B996
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_3_0142B941 push edx; retf 7_3_0142B996
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_3_0142B577 push edx; retf 7_3_0142B57E
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_3_0142B577 push edx; retf 7_3_0142B57E
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_3_0142B53B push ss; retf 7_3_0142B562
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_3_0142B53B push ss; retf 7_3_0142B562
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_3_01425B91 push edx; retf 7_3_01425CAE
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_3_014251A8 push edx; retf 7_3_014251BE
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_3_0141FE45 push edx; retf 7_3_0141FE5E
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_3_01425251 push edx; retf 7_3_01425286
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_3_0142B473 push edx; retf 7_3_0142B486
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_3_0142B473 push edx; retf 7_3_0142B486
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_3_0142B6E2 push ss; retf 7_3_0142B712
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_3_0142B6E2 push ss; retf 7_3_0142B712
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_3_0142B89E push edx; retf 7_3_0142B8A6
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.09187025737
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.09187025737
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.09187025737
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeFile created: C:\Users\user\AppData\Roaming\guqslNCu.exeJump to dropped file
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeFile created: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeJump to dropped file

                    Boot Survival:

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\guqslNCu' /XML 'C:\Users\user\AppData\Local\Temp\tmp4781.tmp'
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run jNnIJrOJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run jNnIJrOJump to behavior

                    Hooking and other Techniques for Hiding and Protection:

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeFile opened: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Moves itself to temp directoryShow sources
                    Source: c:\users\user\desktop\image_0004.exeFile moved: C:\Users\user\AppData\Local\Temp\tmpG520.tmpJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion:

                    barindex
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\IMAGE_0004.exe TID: 7084Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exe TID: 5388Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exe TID: 5928Thread sleep count: 425 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exe TID: 5928Thread sleep count: 9436 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe TID: 6308Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe TID: 7156Thread sleep time: -23058430092136925s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe TID: 7160Thread sleep count: 1139 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe TID: 7160Thread sleep count: 8702 > 30Jump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeWindow / User API: threadDelayed 425Jump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeWindow / User API: threadDelayed 9436Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeWindow / User API: threadDelayed 1139Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeWindow / User API: threadDelayed 8702Jump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: IMAGE_0004.exe, 00000007.00000002.925936758.0000000001405000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllj"HH
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeCode function: 7_2_0149B1A8 LdrInitializeThunk,7_2_0149B1A8
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion:

                    barindex
                    Injects a PE file into a foreign processesShow sources
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeMemory written: C:\Users\user\Desktop\IMAGE_0004.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeMemory written: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\guqslNCu' /XML 'C:\Users\user\AppData\Local\Temp\tmp4781.tmp'Jump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeProcess created: C:\Users\user\Desktop\IMAGE_0004.exe {path}Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\guqslNCu' /XML 'C:\Users\user\AppData\Local\Temp\tmp42C9.tmp'Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess created: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe {path}Jump to behavior
                    Source: IMAGE_0004.exe, 00000007.00000002.926292444.0000000001A40000.00000002.00020000.sdmp, jNnIJrO.exe, 00000015.00000002.926385408.0000000001610000.00000002.00020000.sdmpBinary or memory string: Program Manager
                    Source: IMAGE_0004.exe, 00000007.00000002.926292444.0000000001A40000.00000002.00020000.sdmp, jNnIJrO.exe, 00000015.00000002.926385408.0000000001610000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                    Source: IMAGE_0004.exe, 00000007.00000002.926292444.0000000001A40000.00000002.00020000.sdmp, jNnIJrO.exe, 00000015.00000002.926385408.0000000001610000.00000002.00020000.sdmpBinary or memory string: Progman
                    Source: IMAGE_0004.exe, 00000007.00000002.926292444.0000000001A40000.00000002.00020000.sdmp, jNnIJrO.exe, 00000015.00000002.926385408.0000000001610000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Users\user\Desktop\IMAGE_0004.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_0004.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\IMAGE_00