Loading ...

Play interactive tourEdit tour

Windows Analysis Report V5Al4cc8RL

Overview

General Information

Sample Name:V5Al4cc8RL (renamed file extension from none to exe)
Analysis ID:552874
MD5:5b8c247358c809a35edfc69ce74ea5c7
SHA1:663b2a00733f4ab4af9e73c948a14aacaa3d4c6e
SHA256:23c7ee11b32f31b5b6bb9c94af7250d3c8edaccb70ab9472d15a3a9ae2ee3b8d
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • V5Al4cc8RL.exe (PID: 6220 cmdline: "C:\Users\user\Desktop\V5Al4cc8RL.exe" MD5: 5B8C247358C809A35EDFC69CE74EA5C7)
    • V5Al4cc8RL.exe (PID: 6512 cmdline: C:\Users\user\Desktop\V5Al4cc8RL.exe MD5: 5B8C247358C809A35EDFC69CE74EA5C7)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "hisgraceinme@yandex.com", "Password": "newyear2022", "Host": "smtp.yandex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.497968057.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000002.497968057.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000000.00000002.257945194.0000000002B07000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000004.00000000.255852649.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000004.00000000.255852649.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.V5Al4cc8RL.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              4.2.V5Al4cc8RL.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                4.0.V5Al4cc8RL.exe.400000.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  4.0.V5Al4cc8RL.exe.400000.6.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.V5Al4cc8RL.exe.2b51724.2.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                      Click to see the 17 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 4.0.V5Al4cc8RL.exe.400000.12.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "hisgraceinme@yandex.com", "Password": "newyear2022", "Host": "smtp.yandex.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: V5Al4cc8RL.exeVirustotal: Detection: 33%Perma Link
                      Source: V5Al4cc8RL.exeReversingLabs: Detection: 41%
                      Machine Learning detection for sampleShow sources
                      Source: V5Al4cc8RL.exeJoe Sandbox ML: detected
                      Source: 4.0.V5Al4cc8RL.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 4.0.V5Al4cc8RL.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 4.2.V5Al4cc8RL.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 4.0.V5Al4cc8RL.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 4.0.V5Al4cc8RL.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 4.0.V5Al4cc8RL.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: V5Al4cc8RL.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: V5Al4cc8RL.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
                      Source: global trafficTCP traffic: 192.168.2.5:49836 -> 77.88.21.158:587
                      Source: global trafficTCP traffic: 192.168.2.5:49836 -> 77.88.21.158:587
                      Source: V5Al4cc8RL.exe, 00000004.00000002.505859012.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: V5Al4cc8RL.exe, 00000004.00000002.505859012.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: V5Al4cc8RL.exe, 00000004.00000002.505859012.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: http://QBAAYx.com
                      Source: V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
                      Source: V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
                      Source: V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
                      Source: V5Al4cc8RL.exe, 00000000.00000003.235602973.0000000005AD6000.00000004.00000001.sdmpString found in binary or memory: http://en.wPTf
                      Source: V5Al4cc8RL.exe, 00000000.00000003.235089237.0000000005AF2000.00000004.00000001.sdmpString found in binary or memory: http://en.wikipedia
                      Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
                      Source: V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmpString found in binary or memory: http://repository.certum.pl/ca4
                      Source: V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
                      Source: V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
                      Source: V5Al4cc8RL.exe, 00000004.00000002.507040750.0000000002DAE000.00000004.00000001.sdmpString found in binary or memory: http://smtp.yandex.com
                      Source: V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmpString found in binary or memory: http://subca.ocs-
                      Source: V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
                      Source: V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
                      Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238151607.0000000005AD7000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238082880.0000000005AD7000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmpString found in binary or memory: http://www.certum.pl/CPS0
                      Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.242524112.0000000005ADE000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.242181300.0000000005ADC000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.242431858.0000000005ADC000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.242229742.0000000005ADD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: V5Al4cc8RL.exe, 00000000.00000003.242229742.0000000005ADD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmljC1
                      Source: V5Al4cc8RL.exe, 00000000.00000003.242229742.0000000005ADD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlu-hu-d
                      Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: V5Al4cc8RL.exe, 00000000.00000003.242181300.0000000005ADC000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.242431858.0000000005ADC000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.242229742.0000000005ADD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlJ
                      Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: V5Al4cc8RL.exe, 00000000.00000003.242524112.0000000005ADE000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.243646078.0000000005ADC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
                      Source: V5Al4cc8RL.exe, 00000000.00000003.242524112.0000000005ADE000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.242181300.0000000005ADC000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.242431858.0000000005ADC000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.242229742.0000000005ADD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF9D
                      Source: V5Al4cc8RL.exe, 00000000.00000003.242524112.0000000005ADE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsd
                      Source: V5Al4cc8RL.exe, 00000000.00000003.247569775.0000000005AD7000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000002.261731654.0000000005AD0000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.247686760.0000000005AD7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comasno
                      Source: V5Al4cc8RL.exe, 00000000.00000003.242431858.0000000005ADC000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomF
                      Source: V5Al4cc8RL.exe, 00000000.00000003.242229742.0000000005ADD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd6D
                      Source: V5Al4cc8RL.exe, 00000000.00000003.247271696.0000000005AD7000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.247569775.0000000005AD7000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000002.261731654.0000000005AD0000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.247686760.0000000005AD7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdia6D
                      Source: V5Al4cc8RL.exe, 00000000.00000003.242229742.0000000005ADD000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comituF
                      Source: V5Al4cc8RL.exe, 00000000.00000003.247271696.0000000005AD7000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.247569775.0000000005AD7000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.247686760.0000000005AD7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
                      Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: V5Al4cc8RL.exe, 00000000.00000003.237362893.0000000005AD7000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237519809.0000000005AD7000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237445278.0000000005AD8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: V5Al4cc8RL.exe, 00000000.00000003.237519809.0000000005AD7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn2
                      Source: V5Al4cc8RL.exe, 00000000.00000003.237519809.0000000005AD7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnFROM
                      Source: V5Al4cc8RL.exe, 00000000.00000003.237519809.0000000005AD7000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnJ
                      Source: V5Al4cc8RL.exe, 00000000.00000003.237519809.0000000005AD7000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237445278.0000000005AD8000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnva
                      Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: V5Al4cc8RL.exe, 00000000.00000003.239487614.0000000005ADD000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238669999.0000000005ADB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.239393407.0000000005ADD000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: V5Al4cc8RL.exe, 00000000.00000003.239487614.0000000005ADD000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.239393407.0000000005ADD000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
                      Source: V5Al4cc8RL.exe, 00000000.00000003.239487614.0000000005ADD000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.239393407.0000000005ADD000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: V5Al4cc8RL.exe, 00000000.00000003.238669999.0000000005ADB000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/n-u
                      Source: V5Al4cc8RL.exe, 00000000.00000003.235374791.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236344812.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236022823.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236658890.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236259831.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236566208.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236536316.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236788828.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235613845.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237785650.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237422103.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236732771.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236508751.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235845119.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238068440.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237645057.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238438414.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237214547.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236975965.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235789156.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238478134.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238541470.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238649245.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236679295.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236075154.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236291815.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235985152.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236618636.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236897959.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235466855.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237931677.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236440918.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238140250.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235418141.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235725240.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235314851.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238736518.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237721608.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235521691.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236393828.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235657356.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238766071.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235946333.0000000005AEB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: V5Al4cc8RL.exe, 00000000.00000003.235374791.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236344812.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236022823.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236658890.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236259831.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236566208.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236536316.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236788828.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235613845.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237785650.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237422103.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236732771.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236508751.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235845119.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238068440.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237645057.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238438414.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237214547.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236975965.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235789156.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238478134.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238541470.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238649245.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236679295.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236075154.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236291815.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235985152.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236618636.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236897959.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235466855.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237931677.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236440918.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238140250.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235418141.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235725240.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235314851.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238736518.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.237721608.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235521691.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.236393828.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235657356.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.238766071.0000000005AEB000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000003.235946333.0000000005AEB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.come
                      Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: V5Al4cc8RL.exe, 00000000.00000002.262245650.0000000006CE2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
                      Source: V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
                      Source: V5Al4cc8RL.exe, 00000004.00000002.506919005.0000000002D5B000.00000004.00000001.sdmpString found in binary or memory: https://T2RlCNQDaV0Ojub.com
                      Source: V5Al4cc8RL.exe, 00000004.00000002.507092323.0000000002DB6000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmpString found in binary or memory: https://www.certum.pl/CPS0
                      Source: V5Al4cc8RL.exe, 00000000.00000002.258273747.0000000003A99000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000002.497968057.0000000000402000.00000040.00000001.sdmp, V5Al4cc8RL.exe, 00000004.00000000.254143628.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: V5Al4cc8RL.exe, 00000004.00000002.505859012.0000000002A61000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: smtp.yandex.com
                      Source: V5Al4cc8RL.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 0_2_028C3A240_2_028C3A24
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 0_2_028CE8E00_2_028CE8E0
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 0_2_028CE8F00_2_028CE8F0
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 0_2_028CCF140_2_028CCF14
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 0_2_028C6C810_2_028C6C81
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 4_2_00D709584_2_00D70958
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 4_2_00D776C84_2_00D776C8
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 4_2_00D7BE684_2_00D7BE68
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 4_2_00D788884_2_00D78888
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 4_2_00D7E3A94_2_00D7E3A9
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 4_2_00D9B43C4_2_00D9B43C
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 4_2_00D9DEC04_2_00D9DEC0
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 4_2_00D91FF04_2_00D91FF0
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 4_2_00D9AB704_2_00D9AB70
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 4_2_00D927684_2_00D92768
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 4_2_00F40C714_2_00F40C71
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 4_2_00F44DA04_2_00F44DA0
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 4_2_00F4C1404_2_00F4C140
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 4_2_00F4B6904_2_00F4B690
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 4_2_00F483204_2_00F48320
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 4_2_00F455E64_2_00F455E6
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 4_2_00F455E84_2_00F455E8
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 4_2_00F4BD284_2_00F4BD28
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 4_2_00F4DE604_2_00F4DE60
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 4_2_00F4AB214_2_00F4AB21
                      Source: V5Al4cc8RL.exeBinary or memory string: OriginalFilename vs V5Al4cc8RL.exe
                      Source: V5Al4cc8RL.exe, 00000000.00000002.257831013.0000000002A91000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamehnoksqXHWDvXLXQGJLwfmNUry.exe4 vs V5Al4cc8RL.exe
                      Source: V5Al4cc8RL.exe, 00000000.00000002.256860396.0000000000762000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePolicyLev.exe< vs V5Al4cc8RL.exe
                      Source: V5Al4cc8RL.exe, 00000000.00000002.262709097.00000000091A0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs V5Al4cc8RL.exe
                      Source: V5Al4cc8RL.exe, 00000000.00000002.258273747.0000000003A99000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamehnoksqXHWDvXLXQGJLwfmNUry.exe4 vs V5Al4cc8RL.exe
                      Source: V5Al4cc8RL.exe, 00000000.00000002.258273747.0000000003A99000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs V5Al4cc8RL.exe
                      Source: V5Al4cc8RL.exeBinary or memory string: OriginalFilename vs V5Al4cc8RL.exe
                      Source: V5Al4cc8RL.exe, 00000004.00000002.498271939.0000000000682000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamePolicyLev.exe< vs V5Al4cc8RL.exe
                      Source: V5Al4cc8RL.exe, 00000004.00000002.497968057.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamehnoksqXHWDvXLXQGJLwfmNUry.exe4 vs V5Al4cc8RL.exe
                      Source: V5Al4cc8RL.exe, 00000004.00000002.502687417.0000000000AF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs V5Al4cc8RL.exe
                      Source: V5Al4cc8RL.exeBinary or memory string: OriginalFilenamePolicyLev.exe< vs V5Al4cc8RL.exe
                      Source: V5Al4cc8RL.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: V5Al4cc8RL.exeVirustotal: Detection: 33%
                      Source: V5Al4cc8RL.exeReversingLabs: Detection: 41%
                      Source: V5Al4cc8RL.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\V5Al4cc8RL.exe "C:\Users\user\Desktop\V5Al4cc8RL.exe"
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess created: C:\Users\user\Desktop\V5Al4cc8RL.exe C:\Users\user\Desktop\V5Al4cc8RL.exe
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess created: C:\Users\user\Desktop\V5Al4cc8RL.exe C:\Users\user\Desktop\V5Al4cc8RL.exeJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\V5Al4cc8RL.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/1
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: V5Al4cc8RL.exe, 00000000.00000003.245108131.0000000005AFC000.00000004.00000001.sdmpBinary or memory string: of The Monotype Corporation.slnt
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: V5Al4cc8RL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: V5Al4cc8RL.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: V5Al4cc8RL.exe, ContextForm/AutoMachine.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.V5Al4cc8RL.exe.760000.0.unpack, ContextForm/AutoMachine.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.V5Al4cc8RL.exe.760000.0.unpack, ContextForm/AutoMachine.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.V5Al4cc8RL.exe.680000.13.unpack, ContextForm/AutoMachine.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.V5Al4cc8RL.exe.680000.11.unpack, ContextForm/AutoMachine.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.V5Al4cc8RL.exe.680000.2.unpack, ContextForm/AutoMachine.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.V5Al4cc8RL.exe.680000.0.unpack, ContextForm/AutoMachine.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.V5Al4cc8RL.exe.680000.5.unpack, ContextForm/AutoMachine.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.V5Al4cc8RL.exe.680000.9.unpack, ContextForm/AutoMachine.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 0_2_00765123 push edi; retf 0_2_00765124
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 0_2_00765305 pushad ; retf 0_2_00765306
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 0_2_0076430A push esp; ret 0_2_00764311
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 0_2_007662B6 push ecx; iretd 0_2_007662B7
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 0_2_007642AB push esi; retf 0_2_007642C9
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 0_2_028CD0C0 push eax; retf 0_2_028CF731
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 4_2_00685123 push edi; retf 4_2_00685124
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 4_2_0068430A push esp; ret 4_2_00684311
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 4_2_00685305 pushad ; retf 4_2_00685306
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 4_2_006842AB push esi; retf 4_2_006842C9
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 4_2_006862B6 push ecx; iretd 4_2_006862B7
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 4_2_00D97A37 push edi; retn 0000h4_2_00D97A39
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.56350374002
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.V5Al4cc8RL.exe.2b51724.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.V5Al4cc8RL.exe.2afb594.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.257945194.0000000002B07000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.257831013.0000000002A91000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: V5Al4cc8RL.exe PID: 6220, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: V5Al4cc8RL.exe, 00000000.00000002.257945194.0000000002B07000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000002.257831013.0000000002A91000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: V5Al4cc8RL.exe, 00000000.00000002.257945194.0000000002B07000.00000004.00000001.sdmp, V5Al4cc8RL.exe, 00000000.00000002.257831013.0000000002A91000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exe TID: 6224Thread sleep time: -35259s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exe TID: 6264Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exe TID: 7044Thread sleep time: -23980767295822402s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exe TID: 7060Thread sleep count: 2706 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exe TID: 7060Thread sleep count: 7080 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exe TID: 7044Thread sleep count: 43 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeWindow / User API: threadDelayed 2706Jump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeWindow / User API: threadDelayed 7080Jump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeThread delayed: delay time: 35259Jump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: V5Al4cc8RL.exe, 00000000.00000002.257831013.0000000002A91000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: V5Al4cc8RL.exe, 00000000.00000002.257831013.0000000002A91000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: V5Al4cc8RL.exe, 00000000.00000002.257831013.0000000002A91000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: V5Al4cc8RL.exe, 00000004.00000002.503892448.0000000000CF1000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: V5Al4cc8RL.exe, 00000000.00000002.257831013.0000000002A91000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeCode function: 4_2_00D7C8A8 LdrInitializeThunk,4_2_00D7C8A8
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeMemory written: C:\Users\user\Desktop\V5Al4cc8RL.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeProcess created: C:\Users\user\Desktop\V5Al4cc8RL.exe C:\Users\user\Desktop\V5Al4cc8RL.exeJump to behavior
                      Source: V5Al4cc8RL.exe, 00000004.00000002.505613360.0000000001470000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: V5Al4cc8RL.exe, 00000004.00000002.505613360.0000000001470000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: V5Al4cc8RL.exe, 00000004.00000002.505613360.0000000001470000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
                      Source: V5Al4cc8RL.exe, 00000004.00000002.505613360.0000000001470000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: V5Al4cc8RL.exe, 00000004.00000002.505613360.0000000001470000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeQueries volume information: C:\Users\user\Desktop\V5Al4cc8RL.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\V5Al4cc8RL.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation