Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
aRmotFM1Zp

Overview

General Information

Sample Name:aRmotFM1Zp (renamed file extension from none to exe)
Analysis ID:620774
MD5:5bbcc9d01bd32453756a8e65edd2723a
SHA1:48a5b77ef099971fb4d7e9fbd47cc20d910767e6
SHA256:c36ec3f847b81b6e59ee1e6d17544ee886a3a85105d1aa06646df073f8590838
Tags:32AgentTeslaexetrojan
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
PE file has nameless sections
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Tries to harvest and steal browser information (history, passwords, etc)
PE file contains section with special chars
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • aRmotFM1Zp.exe (PID: 4376 cmdline: "C:\Users\user\Desktop\aRmotFM1Zp.exe" MD5: 5BBCC9D01BD32453756A8E65EDD2723A)
    • aRmotFM1Zp.exe (PID: 5856 cmdline: C:\Users\user\Desktop\aRmotFM1Zp.exe MD5: 5BBCC9D01BD32453756A8E65EDD2723A)
  • HSpMzoJ.exe (PID: 6104 cmdline: "C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe" MD5: 5BBCC9D01BD32453756A8E65EDD2723A)
    • HSpMzoJ.exe (PID: 5088 cmdline: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe MD5: 5BBCC9D01BD32453756A8E65EDD2723A)
  • HSpMzoJ.exe (PID: 5608 cmdline: "C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe" MD5: 5BBCC9D01BD32453756A8E65EDD2723A)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "r.heikal@alfursaneq.com", "Password": "  kOOdr$f8", "Host": "us2.smtp.mailhostbox.com"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.522438754.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000010.00000002.522438754.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000000D.00000002.369643217.0000000004C8D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000D.00000002.369643217.0000000004C8D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000010.00000000.352232161.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 35 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            16.0.HSpMzoJ.exe.400000.12.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              16.0.HSpMzoJ.exe.400000.12.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                16.0.HSpMzoJ.exe.400000.12.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x32ae3:$s10: logins
                • 0x3254a:$s11: credential
                • 0x2eb5c:$g1: get_Clipboard
                • 0x2eb6a:$g2: get_Keyboard
                • 0x2eb77:$g3: get_Password
                • 0x2fe58:$g4: get_CtrlKeyDown
                • 0x2fe68:$g5: get_ShiftKeyDown
                • 0x2fe79:$g6: get_AltKeyDown
                16.0.HSpMzoJ.exe.400000.10.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  16.0.HSpMzoJ.exe.400000.10.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 65 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 16.0.HSpMzoJ.exe.400000.10.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "r.heikal@alfursaneq.com", "Password": " kOOdr$f8", "Host": "us2.smtp.mailhostbox.com"}
                    Multi AV Scanner detection for submitted file
                    Source: aRmotFM1Zp.exeVirustotal: Detection: 35%Perma Link
                    Source: aRmotFM1Zp.exeReversingLabs: Detection: 28%
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeVirustotal: Detection: 35%Perma Link
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeReversingLabs: Detection: 28%
                    Machine Learning detection for sample
                    Source: aRmotFM1Zp.exeJoe Sandbox ML: detected
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeJoe Sandbox ML: detected
                    Source: 16.0.HSpMzoJ.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 3.0.aRmotFM1Zp.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 16.0.HSpMzoJ.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 3.0.aRmotFM1Zp.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 3.0.aRmotFM1Zp.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 16.2.HSpMzoJ.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 16.0.HSpMzoJ.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 3.0.aRmotFM1Zp.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 16.0.HSpMzoJ.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 3.2.aRmotFM1Zp.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 16.0.HSpMzoJ.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 3.0.aRmotFM1Zp.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: aRmotFM1Zp.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: aRmotFM1Zp.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h
                    Source: Joe Sandbox ViewIP Address: 162.222.225.29 162.222.225.29
                    Source: Joe Sandbox ViewIP Address: 208.91.198.38 208.91.198.38
                    Source: global trafficTCP traffic: 192.168.2.4:49761 -> 162.222.225.29:587
                    Source: global trafficTCP traffic: 192.168.2.4:49770 -> 208.91.198.38:587
                    Source: global trafficTCP traffic: 192.168.2.4:49761 -> 162.222.225.29:587
                    Source: global trafficTCP traffic: 192.168.2.4:49770 -> 208.91.198.38:587
                    Source: aRmotFM1Zp.exe, 00000003.00000002.529873536.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, HSpMzoJ.exe, 00000010.00000002.530370723.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: HSpMzoJ.exe, 00000010.00000002.530370723.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                    Source: aRmotFM1Zp.exe, 00000003.00000002.531217917.0000000002C1A000.00000004.00000800.00020000.00000000.sdmp, HSpMzoJ.exe, 00000010.00000002.531732412.0000000002FDD000.00000004.00000800.00020000.00000000.sdmp, HSpMzoJ.exe, 00000010.00000002.527332027.0000000000E75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: aRmotFM1Zp.exe, 00000003.00000002.531217917.0000000002C1A000.00000004.00000800.00020000.00000000.sdmp, aRmotFM1Zp.exe, 00000003.00000002.534066906.0000000005F10000.00000004.00000800.00020000.00000000.sdmp, HSpMzoJ.exe, 00000010.00000002.531732412.0000000002FDD000.00000004.00000800.00020000.00000000.sdmp, HSpMzoJ.exe, 00000010.00000003.402680529.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, HSpMzoJ.exe, 00000010.00000002.528240722.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, HSpMzoJ.exe, 00000010.00000003.402114851.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, HSpMzoJ.exe, 00000010.00000003.401861573.0000000000F32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: aRmotFM1Zp.exe, 00000003.00000002.531217917.0000000002C1A000.00000004.00000800.00020000.00000000.sdmp, HSpMzoJ.exe, 00000010.00000002.531732412.0000000002FDD000.00000004.00000800.00020000.00000000.sdmp, HSpMzoJ.exe, 00000010.00000002.527332027.0000000000E75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                    Source: aRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: HSpMzoJ.exe, 00000010.00000002.530370723.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://loVTdM.com
                    Source: aRmotFM1Zp.exe, 00000003.00000002.531217917.0000000002C1A000.00000004.00000800.00020000.00000000.sdmp, HSpMzoJ.exe, 00000010.00000002.531732412.0000000002FDD000.00000004.00000800.00020000.00000000.sdmp, HSpMzoJ.exe, 00000010.00000002.527332027.0000000000E75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: aRmotFM1Zp.exe, 00000003.00000002.531217917.0000000002C1A000.00000004.00000800.00020000.00000000.sdmp, HSpMzoJ.exe, 00000010.00000002.531732412.0000000002FDD000.00000004.00000800.00020000.00000000.sdmp, HSpMzoJ.exe, 00000010.00000002.527332027.0000000000E75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0A
                    Source: aRmotFM1Zp.exe, 00000003.00000002.531217917.0000000002C1A000.00000004.00000800.00020000.00000000.sdmp, HSpMzoJ.exe, 00000010.00000002.531732412.0000000002FDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                    Source: aRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: aRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: aRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: aRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: aRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: aRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: aRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: aRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: aRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: aRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: aRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: aRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: aRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: aRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: aRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: aRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: aRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: aRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: aRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: aRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: aRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: aRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: aRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: aRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: aRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: aRmotFM1Zp.exe, 00000003.00000002.529873536.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, HSpMzoJ.exe, 00000010.00000002.530370723.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                    Source: HSpMzoJ.exe, 00000010.00000002.530370723.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%appdata
                    Source: HSpMzoJ.exe, 00000010.00000002.531698848.0000000002FD5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rw3y87WIqxS3D5b0nQ.com
                    Source: aRmotFM1Zp.exe, 00000003.00000002.531217917.0000000002C1A000.00000004.00000800.00020000.00000000.sdmp, HSpMzoJ.exe, 00000010.00000002.531732412.0000000002FDD000.00000004.00000800.00020000.00000000.sdmp, HSpMzoJ.exe, 00000010.00000002.534760312.0000000006A70000.00000004.00000800.00020000.00000000.sdmp, HSpMzoJ.exe, 00000010.00000002.527332027.0000000000E75000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                    Source: aRmotFM1Zp.exe, 00000003.00000002.529873536.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, HSpMzoJ.exe, 00000010.00000002.530370723.0000000002C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                    Source: unknownDNS traffic detected: queries for: us2.smtp.mailhostbox.com

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Installs a global keyboard hook
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\aRmotFM1Zp.exe
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe
                    Source: HSpMzoJ.exe, 0000000D.00000002.363261608.00000000014B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeWindow created: window name: CLIPBRDWNDCLASS
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeWindow created: window name: CLIPBRDWNDCLASS

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 16.0.HSpMzoJ.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 16.0.HSpMzoJ.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.aRmotFM1Zp.exe.4c586b0.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 3.0.aRmotFM1Zp.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.aRmotFM1Zp.exe.4c586b0.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.aRmotFM1Zp.exe.4c24090.7.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.aRmotFM1Zp.exe.4c24090.7.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.aRmotFM1Zp.exe.4bedc70.9.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 3.0.aRmotFM1Zp.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 3.0.aRmotFM1Zp.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 13.2.HSpMzoJ.exe.4cf86b0.7.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 16.2.HSpMzoJ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 16.0.HSpMzoJ.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 16.0.HSpMzoJ.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 3.0.aRmotFM1Zp.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 3.2.aRmotFM1Zp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 13.2.HSpMzoJ.exe.4cc4090.9.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.aRmotFM1Zp.exe.32c5e18.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
                    Source: 16.0.HSpMzoJ.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 3.0.aRmotFM1Zp.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 13.2.HSpMzoJ.exe.4cc4090.9.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 13.2.HSpMzoJ.exe.4c8dc70.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 13.2.HSpMzoJ.exe.4cf86b0.7.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 13.2.HSpMzoJ.exe.3367ab0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
                    PE file has nameless sections
                    Source: aRmotFM1Zp.exeStatic PE information: section name:
                    Source: HSpMzoJ.exe.3.drStatic PE information: section name:
                    PE file contains section with special chars
                    Source: aRmotFM1Zp.exeStatic PE information: section name: >Uuj
                    Source: HSpMzoJ.exe.3.drStatic PE information: section name: >Uuj
                    Source: aRmotFM1Zp.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 16.0.HSpMzoJ.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 16.0.HSpMzoJ.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.aRmotFM1Zp.exe.4c586b0.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 3.0.aRmotFM1Zp.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.aRmotFM1Zp.exe.4c586b0.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.aRmotFM1Zp.exe.4c24090.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.aRmotFM1Zp.exe.4c24090.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.aRmotFM1Zp.exe.4bedc70.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 3.0.aRmotFM1Zp.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 3.0.aRmotFM1Zp.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 13.2.HSpMzoJ.exe.4cf86b0.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 16.2.HSpMzoJ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 16.0.HSpMzoJ.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 16.0.HSpMzoJ.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 3.0.aRmotFM1Zp.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 3.2.aRmotFM1Zp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 13.2.HSpMzoJ.exe.4cc4090.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.aRmotFM1Zp.exe.32c5e18.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
                    Source: 16.0.HSpMzoJ.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 3.0.aRmotFM1Zp.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 13.2.HSpMzoJ.exe.4cc4090.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 13.2.HSpMzoJ.exe.4c8dc70.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 13.2.HSpMzoJ.exe.4cf86b0.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 13.2.HSpMzoJ.exe.3367ab0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeCode function: 0_2_09989D88
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeCode function: 0_2_0998F670
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeCode function: 0_2_09989D78
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeCode function: 0_2_0998F2A8
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeCode function: 0_2_0A070006
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeCode function: 0_2_0A070040
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeCode function: 0_2_0A079058
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeCode function: 3_2_005AEEE5
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeCode function: 3_2_00F5F380
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeCode function: 3_2_00F5F6C8
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeCode function: 3_2_00F56560
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeCode function: 3_2_05D4BC70
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeCode function: 3_2_05D4C9C1
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeCode function: 3_2_05D42120
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeCode function: 3_2_05D40040
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 13_2_0AE00040
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 13_2_0AE09058
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 13_2_0AE00007
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 14_2_00B430D8
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 14_2_00B42488
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 14_2_00B404E0
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 14_2_00B44520
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 14_2_00B43620
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 14_2_00B42C28
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 14_2_00B430C9
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 14_2_00B4239F
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 14_2_00B444F7
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 14_2_00B404D0
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 14_2_00B42451
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 14_2_00B46520
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 14_2_00B46510
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 14_2_00B43610
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 14_2_00B46790
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 14_2_00B46780
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 14_2_00B469F8
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 14_2_00B41928
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 14_2_00B41919
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 14_2_00B46A08
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 14_2_00B42C19
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_007BEEE5
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_0105F380
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_0105F6C8
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_01056560
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_0105F6BD
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_06166F30
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_06169420
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_0616E348
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_0616BB67
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_061661C0
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_0616562F
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_06163330
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_061693BC
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_0649EB30
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_06497F88
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_06499858
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_0649C4A0
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_0649B0B8
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_06495A4E
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_06497E39
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_0649DAD0
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_06495AB0
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_0649D160
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_06491108
                    Source: aRmotFM1Zp.exeBinary or memory string: OriginalFilename vs aRmotFM1Zp.exe
                    Source: aRmotFM1Zp.exe, 00000000.00000002.311773818.0000000009E00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs aRmotFM1Zp.exe
                    Source: aRmotFM1Zp.exe, 00000000.00000002.296427062.0000000003051000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEvWTMpfsxfejaxYfeqVgKrjLScR.exe4 vs aRmotFM1Zp.exe
                    Source: aRmotFM1Zp.exe, 00000000.00000002.298973097.0000000003275000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePoolWait.dll" vs aRmotFM1Zp.exe
                    Source: aRmotFM1Zp.exe, 00000000.00000002.309761505.0000000009B10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamePoolWait.dll" vs aRmotFM1Zp.exe
                    Source: aRmotFM1Zp.exe, 00000000.00000002.303899433.0000000004BED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEvWTMpfsxfejaxYfeqVgKrjLScR.exe4 vs aRmotFM1Zp.exe
                    Source: aRmotFM1Zp.exeBinary or memory string: OriginalFilename vs aRmotFM1Zp.exe
                    Source: aRmotFM1Zp.exe, 00000003.00000002.525470477.00000000007C8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs aRmotFM1Zp.exe
                    Source: aRmotFM1Zp.exe, 00000003.00000000.289976740.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameEvWTMpfsxfejaxYfeqVgKrjLScR.exe4 vs aRmotFM1Zp.exe
                    Source: aRmotFM1Zp.exe, 00000003.00000002.534066906.0000000005F10000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLoaderOptimizat.exe4 vs aRmotFM1Zp.exe
                    Source: aRmotFM1Zp.exeBinary or memory string: OriginalFilenameLoaderOptimizat.exe4 vs aRmotFM1Zp.exe
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe C36EC3F847B81B6E59EE1E6D17544EE886A3A85105D1AA06646DF073F8590838
                    Source: aRmotFM1Zp.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: HSpMzoJ.exe.3.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: aRmotFM1Zp.exeStatic PE information: Section: >Uuj ZLIB complexity 1.00043633644
                    Source: HSpMzoJ.exe.3.drStatic PE information: Section: >Uuj ZLIB complexity 1.00043633644
                    Source: aRmotFM1Zp.exeVirustotal: Detection: 35%
                    Source: aRmotFM1Zp.exeReversingLabs: Detection: 28%
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeFile read: C:\Users\user\Desktop\aRmotFM1Zp.exeJump to behavior
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: unknownProcess created: C:\Users\user\Desktop\aRmotFM1Zp.exe "C:\Users\user\Desktop\aRmotFM1Zp.exe"
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess created: C:\Users\user\Desktop\aRmotFM1Zp.exe C:\Users\user\Desktop\aRmotFM1Zp.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe "C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe "C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe"
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess created: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess created: C:\Users\user\Desktop\aRmotFM1Zp.exe C:\Users\user\Desktop\aRmotFM1Zp.exe
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess created: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aRmotFM1Zp.exe.logJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/4@2/2
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: aRmotFM1Zp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: aRmotFM1Zp.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeCode function: 0_2_00CE65B9 push es; ret
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeCode function: 0_2_00CE5B16 push es; retf
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeCode function: 0_2_00CE3F2C push esi; iretd
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeCode function: 0_2_0998D62C push eax; iretd
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeCode function: 0_2_0A074CD2 push FFFFFFE4h; ret
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeCode function: 3_2_005AEC35 push es; iretd
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeCode function: 3_2_05D4A5A0 push 8B000005h; retf
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeCode function: 3_2_05D42E6D push esp; ret
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeCode function: 3_2_05D42BBD push edi; ret
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 14_2_002A3F2C push esi; iretd
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 14_2_002A5B16 push es; retf
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 14_2_002A65B9 push es; ret
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_007BEC35 push es; iretd
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_0616BB67 push es; retf 0616h
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_0616165E push es; ret
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_06161662 push es; ret
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_0616166A push es; ret
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_0616169E push es; ret
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_0616169A push es; ret
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_061616B6 push es; ret
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_061616B2 push es; ret
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_061616BE push es; ret
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_0616CEBE push es; ret
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_061616BA push es; ret
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_061616A6 push es; ret
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_061616AE push es; ret
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_061616AA push es; ret
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_061616D6 push es; ret
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_061616D2 push es; ret
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_061616DE push es; ret
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_061616DA push es; ret
                    Source: aRmotFM1Zp.exeStatic PE information: section name: >Uuj
                    Source: aRmotFM1Zp.exeStatic PE information: section name:
                    Source: HSpMzoJ.exe.3.drStatic PE information: section name: >Uuj
                    Source: HSpMzoJ.exe.3.drStatic PE information: section name:
                    Source: aRmotFM1Zp.exeStatic PE information: 0xFB984FB0 [Fri Oct 5 21:31:28 2103 UTC]
                    Source: initial sampleStatic PE information: section name: >Uuj entropy: 7.99627258012
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.91715713466
                    Source: initial sampleStatic PE information: section name: >Uuj entropy: 7.99627258012
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.91715713466
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeFile created: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeJump to dropped file
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HSpMzoJJump to behavior
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HSpMzoJJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeFile opened: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe:Zone.Identifier read attributes | delete
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: 0.2.aRmotFM1Zp.exe.32c5e18.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.HSpMzoJ.exe.3367ab0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.364235592.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.364734676.0000000003318000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.296427062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.298973097.0000000003275000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: aRmotFM1Zp.exe PID: 4376, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: HSpMzoJ.exe PID: 6104, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: aRmotFM1Zp.exe, 00000000.00000002.296427062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, aRmotFM1Zp.exe, 00000000.00000002.298973097.0000000003275000.00000004.00000800.00020000.00000000.sdmp, HSpMzoJ.exe, 0000000D.00000002.364734676.0000000003318000.00000004.00000800.00020000.00000000.sdmp, HSpMzoJ.exe, 0000000D.00000002.364235592.00000000030F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: aRmotFM1Zp.exe, 00000000.00000002.296427062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, aRmotFM1Zp.exe, 00000000.00000002.298973097.0000000003275000.00000004.00000800.00020000.00000000.sdmp, HSpMzoJ.exe, 0000000D.00000002.364734676.0000000003318000.00000004.00000800.00020000.00000000.sdmp, HSpMzoJ.exe, 0000000D.00000002.364235592.00000000030F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exe TID: 5620Thread sleep time: -45733s >= -30000s
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exe TID: 5500Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exe TID: 3736Thread sleep time: -23980767295822402s >= -30000s
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exe TID: 5848Thread sleep count: 6211 > 30
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exe TID: 5848Thread sleep count: 2558 > 30
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe TID: 3536Thread sleep time: -45733s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe TID: 5500Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe TID: 3368Thread sleep time: -45733s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe TID: 1556Thread sleep time: -23058430092136925s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe TID: 1524Thread sleep count: 4279 > 30
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe TID: 1524Thread sleep count: 4480 > 30
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeWindow / User API: threadDelayed 6211
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeWindow / User API: threadDelayed 2558
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeWindow / User API: threadDelayed 4279
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeWindow / User API: threadDelayed 4480
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeThread delayed: delay time: 45733
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeThread delayed: delay time: 45733
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeThread delayed: delay time: 45733
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeThread delayed: delay time: 922337203685477
                    Source: HSpMzoJ.exe, 0000000D.00000002.364235592.00000000030F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: HSpMzoJ.exe, 0000000D.00000002.364235592.00000000030F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: HSpMzoJ.exe, 0000000D.00000002.364235592.00000000030F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: HSpMzoJ.exe, 00000010.00000002.527332027.0000000000E75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: HSpMzoJ.exe, 0000000D.00000002.364235592.00000000030F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 14_2_00B416F8 CheckRemoteDebuggerPresent,
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeCode function: 16_2_0649DF28 LdrInitializeThunk,
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeMemory written: C:\Users\user\Desktop\aRmotFM1Zp.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeMemory written: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeProcess created: C:\Users\user\Desktop\aRmotFM1Zp.exe C:\Users\user\Desktop\aRmotFM1Zp.exe
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeProcess created: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Users\user\Desktop\aRmotFM1Zp.exe VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Users\user\Desktop\aRmotFM1Zp.exe VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeQueries volume information: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeQueries volume information: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeQueries volume information: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeCode function: 3_2_05D44C28 GetUserNameW,

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 16.0.HSpMzoJ.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.0.HSpMzoJ.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.aRmotFM1Zp.exe.4c586b0.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.aRmotFM1Zp.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.aRmotFM1Zp.exe.4c586b0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.aRmotFM1Zp.exe.4c24090.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.aRmotFM1Zp.exe.4c24090.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.aRmotFM1Zp.exe.4bedc70.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.aRmotFM1Zp.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.aRmotFM1Zp.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.HSpMzoJ.exe.4cf86b0.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.HSpMzoJ.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.0.HSpMzoJ.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.0.HSpMzoJ.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.aRmotFM1Zp.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.aRmotFM1Zp.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.HSpMzoJ.exe.4cc4090.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.0.HSpMzoJ.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.aRmotFM1Zp.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.HSpMzoJ.exe.4cc4090.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.HSpMzoJ.exe.4c8dc70.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.HSpMzoJ.exe.4cf86b0.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000010.00000002.522438754.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.369643217.0000000004C8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000000.352232161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000000.354545797.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000000.353714867.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.289976740.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000000.352943219.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.522484035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.291340877.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.290808406.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.289323287.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.303899433.0000000004BED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.530370723.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.529873536.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: aRmotFM1Zp.exe PID: 4376, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: aRmotFM1Zp.exe PID: 5856, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: HSpMzoJ.exe PID: 6104, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: HSpMzoJ.exe PID: 5088, type: MEMORYSTR
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\aRmotFM1Zp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: Yara matchFile source: 00000010.00000002.530370723.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.529873536.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: aRmotFM1Zp.exe PID: 5856, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: HSpMzoJ.exe PID: 5088, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 16.0.HSpMzoJ.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.0.HSpMzoJ.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.aRmotFM1Zp.exe.4c586b0.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.aRmotFM1Zp.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.aRmotFM1Zp.exe.4c586b0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.aRmotFM1Zp.exe.4c24090.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.aRmotFM1Zp.exe.4c24090.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.aRmotFM1Zp.exe.4bedc70.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.aRmotFM1Zp.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.aRmotFM1Zp.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.HSpMzoJ.exe.4cf86b0.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.HSpMzoJ.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.0.HSpMzoJ.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.0.HSpMzoJ.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.aRmotFM1Zp.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.aRmotFM1Zp.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.HSpMzoJ.exe.4cc4090.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.0.HSpMzoJ.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.aRmotFM1Zp.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.HSpMzoJ.exe.4cc4090.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.HSpMzoJ.exe.4c8dc70.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.HSpMzoJ.exe.4cf86b0.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000010.00000002.522438754.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.369643217.0000000004C8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000000.352232161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000000.354545797.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000000.353714867.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.289976740.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000000.352943219.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.522484035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.291340877.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.290808406.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.289323287.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.303899433.0000000004BED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.530370723.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.529873536.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: aRmotFM1Zp.exe PID: 4376, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: aRmotFM1Zp.exe PID: 5856, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: HSpMzoJ.exe PID: 6104, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: HSpMzoJ.exe PID: 5088, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		1
                    Registry Run Keys / Startup Folder                    		111
                    Process Injection                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    Account Discovery                    		Remote Services1
                    Archive Collected Data                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    Registry Run Keys / Startup Folder                    		3
                    Obfuscated Files or Information                    		111
                    Input Capture                    		114
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		Exfiltration Over Bluetooth1
                    Non-Standard Port                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)4
                    Software Packing                    		1
                    Credentials in Registry                    		1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		Automated Exfiltration1
                    Non-Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                    Timestomp                    		NTDS421
                    Security Software Discovery                    		Distributed Component Object Model111
                    Input Capture                    		Scheduled Transfer11
                    Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Masquerading                    		LSA Secrets1
                    Process Discovery                    		SSH1
                    Clipboard Data                    		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common141
                    Virtualization/Sandbox Evasion                    		Cached Domain Credentials141
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items111
                    Process Injection                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                    Hidden Files and Directories                    		Proc Filesystem1
                    System Owner/User Discovery                    		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                    Remote System Discovery                    		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 620774 Sample: aRmotFM1Zp Startdate: 05/05/2022 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 6 other signatures 2->37 6 HSpMzoJ.exe 3 2->6         started        9 aRmotFM1Zp.exe 3 2->9         started        12 HSpMzoJ.exe 2 2->12         started        process3 file4 39 Multi AV Scanner detection for dropped file 6->39 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->41 43 Machine Learning detection for dropped file 6->43 45 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 6->45 14 HSpMzoJ.exe 2 6->14         started        25 C:\Users\user\AppData\...\aRmotFM1Zp.exe.log, ASCII 9->25 dropped 47 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 9->47 49 Injects a PE file into a foreign processes 9->49 18 aRmotFM1Zp.exe 2 5 9->18         started        signatures5 process6 dnsIp7 27 208.91.198.38, 49770, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->27 51 Tries to harvest and steal ftp login credentials 14->51 53 Tries to harvest and steal browser information (history, passwords, etc) 14->53 55 Installs a global keyboard hook 14->55 29 us2.smtp.mailhostbox.com 162.222.225.29, 49761, 587 PUBLIC-DOMAIN-REGISTRYUS United States 18->29 21 C:\Users\user\AppData\Roaming\...\HSpMzoJ.exe, PE32 18->21 dropped 23 C:\Users\user\...\HSpMzoJ.exe:Zone.Identifier, ASCII 18->23 dropped 57 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->57 59 Tries to steal Mail credentials (via file / registry access) 18->59 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->61 file8 signatures9

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    aRmotFM1Zp.exe35%VirustotalBrowse
                    aRmotFM1Zp.exe29%ReversingLabsWin32.Trojan.Pwsx
                    aRmotFM1Zp.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe35%VirustotalBrowse
                    C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe29%ReversingLabsWin32.Trojan.Pwsx

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    16.0.HSpMzoJ.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                    3.0.aRmotFM1Zp.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                    16.0.HSpMzoJ.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    3.0.aRmotFM1Zp.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    3.0.aRmotFM1Zp.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    16.2.HSpMzoJ.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    16.0.HSpMzoJ.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    3.0.aRmotFM1Zp.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    16.0.HSpMzoJ.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    3.2.aRmotFM1Zp.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    16.0.HSpMzoJ.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                    3.0.aRmotFM1Zp.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    https://sectigo.com/CPS00%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    https://api.ipify.org%appdata0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    https://rw3y87WIqxS3D5b0nQ.com0%Avira URL Cloudsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://loVTdM.com0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://ocsp.sectigo.com0A0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    https://api.ipify.org%0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    us2.smtp.mailhostbox.com
                    		162.222.225.29
                    		truefalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#aRmotFM1Zp.exe, 00000003.00000002.531217917.0000000002C1A000.00000004.00000800.00020000.00000000.sdmp, HSpMzoJ.exe, 00000010.00000002.531732412.0000000002FDD000.00000004.00000800.00020000.00000000.sdmp, HSpMzoJ.exe, 00000010.00000002.527332027.0000000000E75000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://127.0.0.1:HTTP/1.1aRmotFM1Zp.exe, 00000003.00000002.529873536.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, HSpMzoJ.exe, 00000010.00000002.530370723.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.apache.org/licenses/LICENSE-2.0aRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.comaRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersGaRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://sectigo.com/CPS0aRmotFM1Zp.exe, 00000003.00000002.531217917.0000000002C1A000.00000004.00000800.00020000.00000000.sdmp, HSpMzoJ.exe, 00000010.00000002.531732412.0000000002FDD000.00000004.00000800.00020000.00000000.sdmp, HSpMzoJ.exe, 00000010.00000002.534760312.0000000006A70000.00000004.00000800.00020000.00000000.sdmp, HSpMzoJ.exe, 00000010.00000002.527332027.0000000000E75000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/?aRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bTheaRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://us2.smtp.mailhostbox.comaRmotFM1Zp.exe, 00000003.00000002.531217917.0000000002C1A000.00000004.00000800.00020000.00000000.sdmp, HSpMzoJ.exe, 00000010.00000002.531732412.0000000002FDD000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://api.ipify.org%appdataHSpMzoJ.exe, 00000010.00000002.530370723.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		low
                                http://www.fontbureau.com/designers?aRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwaRmotFM1Zp.exe, 00000003.00000002.529873536.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, HSpMzoJ.exe, 00000010.00000002.530370723.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.tiro.comaRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designersaRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.goodfont.co.kraRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://rw3y87WIqxS3D5b0nQ.comHSpMzoJ.exe, 00000010.00000002.531698848.0000000002FD5000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.carterandcone.comlaRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sajatypeworks.comaRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.typography.netDaRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/cabarga.htmlNaRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/cTheaRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmaRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://fontfabrik.comaRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cnaRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/frere-user.htmlaRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://loVTdM.comHSpMzoJ.exe, 00000010.00000002.530370723.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/aRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://DynDns.comDynDNSnamejidpasswordPsi/PsiHSpMzoJ.exe, 00000010.00000002.530370723.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/DPleaseaRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8aRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://ocsp.sectigo.com0AaRmotFM1Zp.exe, 00000003.00000002.531217917.0000000002C1A000.00000004.00000800.00020000.00000000.sdmp, HSpMzoJ.exe, 00000010.00000002.531732412.0000000002FDD000.00000004.00000800.00020000.00000000.sdmp, HSpMzoJ.exe, 00000010.00000002.527332027.0000000000E75000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fonts.comaRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.sandoll.co.kraRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.urwpp.deDPleaseaRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.zhongyicts.com.cnaRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.sakkal.comaRmotFM1Zp.exe, 00000000.00000002.307503472.00000000095A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://api.ipify.org%aRmotFM1Zp.exe, 00000003.00000002.529873536.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, HSpMzoJ.exe, 00000010.00000002.530370723.0000000002C81000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		low

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            162.222.225.29
                                            		us2.smtp.mailhostbox.comUnited States
                                            		394695PUBLIC-DOMAIN-REGISTRYUSfalse
                                            208.91.198.38
                                            		unknownUnited States
                                            		394695PUBLIC-DOMAIN-REGISTRYUSfalse

                                            General Information

                                            Joe Sandbox Version:34.0.0 Boulder Opal
                                            Analysis ID:620774
                                            Start date and time: 05/05/202208:10:322022-05-05 08:10:32 +02:00
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 12m 57s
                                            Hypervisor based Inspection enabled:false
                                            Report type:light
                                            Sample file name:aRmotFM1Zp (renamed file extension from none to exe)
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:26
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.spyw.evad.winEXE@7/4@2/2
                                            EGA Information:
                                            • Successful, ratio: 100%
                                            HDC Information:
                                            • Successful, ratio: 1.4% (good quality ratio 0.8%)
                                            • Quality average: 35.1%
                                            • Quality standard deviation: 37.4%
                                            HCA Information:
                                            • Successful, ratio: 97%
                                            • Number of executed functions: 0
                                            • Number of non-executed functions: 0
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI

                                            Warnings

                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                            • Excluded IPs from analysis (whitelisted): 23.211.6.115, 52.242.101.226, 40.125.122.176, 20.54.89.106, 20.223.24.244, 52.152.110.14
                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            08:11:56API Interceptor694x Sleep call for process: aRmotFM1Zp.exe modified
                                            08:12:08AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run HSpMzoJ C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe
                                            08:12:16AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run HSpMzoJ C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe
                                            08:12:24API Interceptor489x Sleep call for process: HSpMzoJ.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            No context

                                            Domains

                                            No context

                                            ASNs

                                            No context

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HSpMzoJ.exe.log

                                            Download File
                                            Process:C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1308
                                            Entropy (8bit):5.345811588615766
                                            Encrypted:false
                                            SSDEEP:24:ML9E4Ks29E4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MxHKX9HKx1qHiYHKhQnoPtHoxHhAHKzu
                                            MD5:36C0A7F32E757FCBECED4EB6FC3C922C
                                            SHA1:939BED45186769E4D878B9A44420CE140445F2CB
                                            SHA-256:C85B76D06B14DE0D203F30A03BA1D26F17BA9970FE8491AB00A1ED1C0DEC9989
                                            SHA-512:F0C308E83AE3FB61E9A7AA68E2CA54D9D48027DF1E8D8092C1FA61600555005675063F377C50572C34A39E8CC77FC044EAF2BC31D5C08DC46446C38F4433DF18
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aRmotFM1Zp.exe.log

                                            Download File
                                            Process:C:\Users\user\Desktop\aRmotFM1Zp.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1308
                                            Entropy (8bit):5.345811588615766
                                            Encrypted:false
                                            SSDEEP:24:ML9E4Ks29E4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MxHKX9HKx1qHiYHKhQnoPtHoxHhAHKzu
                                            MD5:36C0A7F32E757FCBECED4EB6FC3C922C
                                            SHA1:939BED45186769E4D878B9A44420CE140445F2CB
                                            SHA-256:C85B76D06B14DE0D203F30A03BA1D26F17BA9970FE8491AB00A1ED1C0DEC9989
                                            SHA-512:F0C308E83AE3FB61E9A7AA68E2CA54D9D48027DF1E8D8092C1FA61600555005675063F377C50572C34A39E8CC77FC044EAF2BC31D5C08DC46446C38F4433DF18
                                            Malicious:true
                                            Reputation:moderate, very likely benign file
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                            C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe

                                            Download File
                                            Process:C:\Users\user\Desktop\aRmotFM1Zp.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):624640
                                            Entropy (8bit):7.91979215126275
                                            Encrypted:false
                                            SSDEEP:12288:4k+Ef3acL8IztuR0b1Ivtj/9m2L2I26JEScveXyrbREL8AMOwvPI4IsHhIDL:zR128T2XyrbRET4I4lHWL
                                            MD5:5BBCC9D01BD32453756A8E65EDD2723A
                                            SHA1:48A5B77EF099971FB4D7E9FBD47CC20D910767E6
                                            SHA-256:C36EC3F847B81B6E59EE1E6D17544EE886A3A85105D1AA06646DF073F8590838
                                            SHA-512:B0250DA11BF6B14B8C97A20FDCEE46D9341585F0FC91A77FED3004EBBDEC1D538545E62EE2B0E6A29C99534AF6B61540467BAEF4CD08E3450613587D8D45D8A5
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: Virustotal, Detection: 35%, Browse
                                            • Antivirus: ReversingLabs, Detection: 29%
                                            Reputation:low
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O................0...................... ....@.. ....................................@.....................................S.......................................................................................................H...........>Uu.j........ ......................@....text.............................. ..`.rsrc................~..............@..@.reloc..............................@..B.................................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe:Zone.Identifier

                                            Download File
                                            Process:C:\Users\user\Desktop\aRmotFM1Zp.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:modified
                                            Size (bytes):26
                                            Entropy (8bit):3.95006375643621
                                            Encrypted:false
                                            SSDEEP:3:ggPYV:rPYV
                                            MD5:187F488E27DB4AF347237FE461A079AD
                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                            Malicious:true
                                            Preview:[ZoneTransfer]....ZoneId=0

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.91979215126275
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                            • Win32 Executable (generic) a (10002005/4) 49.96%
                                            • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            • DOS Executable Generic (2002/1) 0.01%
                                            File name:aRmotFM1Zp.exe
                                            File size:624640
                                            MD5:5bbcc9d01bd32453756a8e65edd2723a
                                            SHA1:48a5b77ef099971fb4d7e9fbd47cc20d910767e6
                                            SHA256:c36ec3f847b81b6e59ee1e6d17544ee886a3a85105d1aa06646df073f8590838
                                            SHA512:b0250da11bf6b14b8c97a20fdcee46d9341585f0fc91a77fed3004ebbdec1d538545e62ee2b0e6a29c99534af6b61540467baef4cd08e3450613587d8d45d8a5
                                            SSDEEP:12288:4k+Ef3acL8IztuR0b1Ivtj/9m2L2I26JEScveXyrbREL8AMOwvPI4IsHhIDL:zR128T2XyrbRET4I4lHWL
                                            TLSH:E7D4E19C715172EFC467D0B29E981DA4ABA179BA932F5143E02316ADDD4C88BCF241F3
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O................0...................... ....@.. ....................................@................................

                                            File Icon

                                            Icon Hash:00828e8e8686b000

                                            Static PE Info

                                            General

                                            Entrypoint:0x49e00a
                                            Entrypoint Section:
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                            Time Stamp:0xFB984FB0 [Fri Oct 5 21:31:28 2103 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:v4.0.30319
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [0049E000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xe8f80x53.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x9a0000x410.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x9c0000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x9e0000x8
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0xe0000x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            >Uuj0x20000xbb140xbc00False1.00043633644data7.99627258012IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                            .text0xe0000x8bdd00x8be00False0.922606330987data7.91715713466IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                            .rsrc0x9a0000x4100x600False0.288411458333data2.38869518395IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x9c0000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                            0x9e0000x100x200False0.04296875data0.122275881259IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountry
                                            RT_VERSION0x9a0580x3b4data

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Version Infos

                                            DescriptionData
                                            Translation0x0000 0x04b0
                                            LegalCopyrightCopyright 2020-2021 by David Xanatos (xanasoft.com)
                                            Assembly Version1.0.0.0
                                            InternalNameLoaderOptimizat.exe
                                            FileVersion1.0.0.0
                                            CompanyNamesandboxie-plus.com
                                            LegalTrademarks
                                            Comments
                                            ProductNameSandboxie
                                            ProductVersion1.0.0.0
                                            FileDescriptionSandboxie Installer
                                            OriginalFilenameLoaderOptimizat.exe

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            May 5, 2022 08:12:20.020505905 CEST49761587192.168.2.4162.222.225.29
                                            May 5, 2022 08:12:20.215543985 CEST58749761162.222.225.29192.168.2.4
                                            May 5, 2022 08:12:20.216511011 CEST49761587192.168.2.4162.222.225.29
                                            May 5, 2022 08:12:21.418273926 CEST58749761162.222.225.29192.168.2.4
                                            May 5, 2022 08:12:21.420501947 CEST49761587192.168.2.4162.222.225.29
                                            May 5, 2022 08:12:21.615449905 CEST58749761162.222.225.29192.168.2.4
                                            May 5, 2022 08:12:21.615484953 CEST58749761162.222.225.29192.168.2.4
                                            May 5, 2022 08:12:21.615834951 CEST49761587192.168.2.4162.222.225.29
                                            May 5, 2022 08:12:21.811336994 CEST58749761162.222.225.29192.168.2.4
                                            May 5, 2022 08:12:21.856408119 CEST49761587192.168.2.4162.222.225.29
                                            May 5, 2022 08:12:22.051671982 CEST58749761162.222.225.29192.168.2.4
                                            May 5, 2022 08:12:22.051703930 CEST58749761162.222.225.29192.168.2.4
                                            May 5, 2022 08:12:22.051722050 CEST58749761162.222.225.29192.168.2.4
                                            May 5, 2022 08:12:22.051736116 CEST58749761162.222.225.29192.168.2.4
                                            May 5, 2022 08:12:22.051875114 CEST49761587192.168.2.4162.222.225.29
                                            May 5, 2022 08:12:22.052794933 CEST58749761162.222.225.29192.168.2.4
                                            May 5, 2022 08:12:22.172635078 CEST49761587192.168.2.4162.222.225.29
                                            May 5, 2022 08:12:22.246841908 CEST58749761162.222.225.29192.168.2.4
                                            May 5, 2022 08:12:22.276808977 CEST49761587192.168.2.4162.222.225.29
                                            May 5, 2022 08:12:22.472311974 CEST58749761162.222.225.29192.168.2.4
                                            May 5, 2022 08:12:22.530625105 CEST49761587192.168.2.4162.222.225.29
                                            May 5, 2022 08:12:22.726010084 CEST58749761162.222.225.29192.168.2.4
                                            May 5, 2022 08:12:22.729656935 CEST49761587192.168.2.4162.222.225.29
                                            May 5, 2022 08:12:22.927124023 CEST58749761162.222.225.29192.168.2.4
                                            May 5, 2022 08:12:22.927920103 CEST49761587192.168.2.4162.222.225.29
                                            May 5, 2022 08:12:23.126130104 CEST58749761162.222.225.29192.168.2.4
                                            May 5, 2022 08:12:23.146672010 CEST49761587192.168.2.4162.222.225.29
                                            May 5, 2022 08:12:23.343975067 CEST58749761162.222.225.29192.168.2.4
                                            May 5, 2022 08:12:23.344449997 CEST49761587192.168.2.4162.222.225.29
                                            May 5, 2022 08:12:23.549371004 CEST58749761162.222.225.29192.168.2.4
                                            May 5, 2022 08:12:23.565069914 CEST49761587192.168.2.4162.222.225.29
                                            May 5, 2022 08:12:23.761317015 CEST58749761162.222.225.29192.168.2.4
                                            May 5, 2022 08:12:23.761445999 CEST49761587192.168.2.4162.222.225.29
                                            May 5, 2022 08:12:48.983448982 CEST49770587192.168.2.4208.91.198.38
                                            May 5, 2022 08:12:49.180568933 CEST58749770208.91.198.38192.168.2.4
                                            May 5, 2022 08:12:49.181999922 CEST49770587192.168.2.4208.91.198.38
                                            May 5, 2022 08:12:50.387222052 CEST58749770208.91.198.38192.168.2.4
                                            May 5, 2022 08:12:50.387765884 CEST49770587192.168.2.4208.91.198.38
                                            May 5, 2022 08:12:50.584290028 CEST58749770208.91.198.38192.168.2.4
                                            May 5, 2022 08:12:50.585535049 CEST58749770208.91.198.38192.168.2.4
                                            May 5, 2022 08:12:50.590249062 CEST49770587192.168.2.4208.91.198.38
                                            May 5, 2022 08:12:50.787180901 CEST58749770208.91.198.38192.168.2.4
                                            May 5, 2022 08:12:50.831279993 CEST49770587192.168.2.4208.91.198.38
                                            May 5, 2022 08:12:50.852123022 CEST49770587192.168.2.4208.91.198.38
                                            May 5, 2022 08:12:51.049240112 CEST58749770208.91.198.38192.168.2.4
                                            May 5, 2022 08:12:51.049273968 CEST58749770208.91.198.38192.168.2.4
                                            May 5, 2022 08:12:51.049285889 CEST58749770208.91.198.38192.168.2.4
                                            May 5, 2022 08:12:51.049293995 CEST58749770208.91.198.38192.168.2.4
                                            May 5, 2022 08:12:51.049487114 CEST49770587192.168.2.4208.91.198.38
                                            May 5, 2022 08:12:51.051520109 CEST58749770208.91.198.38192.168.2.4
                                            May 5, 2022 08:12:51.097026110 CEST49770587192.168.2.4208.91.198.38
                                            May 5, 2022 08:12:51.245929956 CEST58749770208.91.198.38192.168.2.4
                                            May 5, 2022 08:12:51.282844067 CEST49770587192.168.2.4208.91.198.38
                                            May 5, 2022 08:12:51.480046988 CEST58749770208.91.198.38192.168.2.4
                                            May 5, 2022 08:12:51.534478903 CEST49770587192.168.2.4208.91.198.38
                                            May 5, 2022 08:12:51.994674921 CEST49770587192.168.2.4208.91.198.38
                                            May 5, 2022 08:12:52.192274094 CEST58749770208.91.198.38192.168.2.4
                                            May 5, 2022 08:12:52.194694042 CEST49770587192.168.2.4208.91.198.38
                                            May 5, 2022 08:12:52.503341913 CEST49770587192.168.2.4208.91.198.38
                                            May 5, 2022 08:12:52.660124063 CEST58749770208.91.198.38192.168.2.4
                                            May 5, 2022 08:12:52.660198927 CEST49770587192.168.2.4208.91.198.38
                                            May 5, 2022 08:12:52.703977108 CEST58749770208.91.198.38192.168.2.4
                                            May 5, 2022 08:12:52.769052029 CEST49770587192.168.2.4208.91.198.38
                                            May 5, 2022 08:12:53.130268097 CEST49770587192.168.2.4208.91.198.38
                                            May 5, 2022 08:12:53.333652020 CEST58749770208.91.198.38192.168.2.4
                                            May 5, 2022 08:12:53.378429890 CEST49770587192.168.2.4208.91.198.38
                                            May 5, 2022 08:12:53.428436041 CEST49770587192.168.2.4208.91.198.38
                                            May 5, 2022 08:12:53.627329111 CEST58749770208.91.198.38192.168.2.4
                                            May 5, 2022 08:12:53.675370932 CEST49770587192.168.2.4208.91.198.38
                                            May 5, 2022 08:12:53.725111961 CEST49770587192.168.2.4208.91.198.38
                                            May 5, 2022 08:12:53.933653116 CEST58749770208.91.198.38192.168.2.4
                                            May 5, 2022 08:12:53.958849907 CEST49770587192.168.2.4208.91.198.38
                                            May 5, 2022 08:12:54.156755924 CEST58749770208.91.198.38192.168.2.4
                                            May 5, 2022 08:12:54.156913996 CEST49770587192.168.2.4208.91.198.38

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            May 5, 2022 08:12:19.952409983 CEST6445453192.168.2.48.8.8.8
                                            May 5, 2022 08:12:19.971417904 CEST53644548.8.8.8192.168.2.4
                                            May 5, 2022 08:12:48.909281969 CEST6075853192.168.2.48.8.8.8
                                            May 5, 2022 08:12:48.930507898 CEST53607588.8.8.8192.168.2.4

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                            May 5, 2022 08:12:19.952409983 CEST192.168.2.48.8.8.80xa466Standard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)
                                            May 5, 2022 08:12:48.909281969 CEST192.168.2.48.8.8.80x65bfStandard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                            May 5, 2022 08:12:19.971417904 CEST8.8.8.8192.168.2.40xa466No error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)
                                            May 5, 2022 08:12:19.971417904 CEST8.8.8.8192.168.2.40xa466No error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)
                                            May 5, 2022 08:12:19.971417904 CEST8.8.8.8192.168.2.40xa466No error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                            May 5, 2022 08:12:19.971417904 CEST8.8.8.8192.168.2.40xa466No error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                            May 5, 2022 08:12:48.930507898 CEST8.8.8.8192.168.2.40x65bfNo error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                            May 5, 2022 08:12:48.930507898 CEST8.8.8.8192.168.2.40x65bfNo error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)
                                            May 5, 2022 08:12:48.930507898 CEST8.8.8.8192.168.2.40x65bfNo error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                            May 5, 2022 08:12:48.930507898 CEST8.8.8.8192.168.2.40x65bfNo error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)

                                            SMTP Packets

                                            TimestampSource PortDest PortSource IPDest IPCommands
                                            May 5, 2022 08:12:21.418273926 CEST58749761162.222.225.29192.168.2.4220 us2.outbound.mailhostbox.com ESMTP Postfix
                                            May 5, 2022 08:12:21.420501947 CEST49761587192.168.2.4162.222.225.29EHLO 841675
                                            May 5, 2022 08:12:21.615484953 CEST58749761162.222.225.29192.168.2.4250-us2.outbound.mailhostbox.com
                                            250-PIPELINING
                                            250-SIZE 41648128
                                            250-VRFY
                                            250-ETRN
                                            250-STARTTLS
                                            250-AUTH PLAIN LOGIN
                                            250-AUTH=PLAIN LOGIN
                                            250-ENHANCEDSTATUSCODES
                                            250-8BITMIME
                                            250-DSN
                                            250 CHUNKING
                                            May 5, 2022 08:12:21.615834951 CEST49761587192.168.2.4162.222.225.29STARTTLS
                                            May 5, 2022 08:12:21.811336994 CEST58749761162.222.225.29192.168.2.4220 2.0.0 Ready to start TLS
                                            May 5, 2022 08:12:50.387222052 CEST58749770208.91.198.38192.168.2.4220 us2.outbound.mailhostbox.com ESMTP Postfix
                                            May 5, 2022 08:12:50.387765884 CEST49770587192.168.2.4208.91.198.38EHLO 841675
                                            May 5, 2022 08:12:50.585535049 CEST58749770208.91.198.38192.168.2.4250-us2.outbound.mailhostbox.com
                                            250-PIPELINING
                                            250-SIZE 41648128
                                            250-VRFY
                                            250-ETRN
                                            250-STARTTLS
                                            250-AUTH PLAIN LOGIN
                                            250-AUTH=PLAIN LOGIN
                                            250-ENHANCEDSTATUSCODES
                                            250-8BITMIME
                                            250-DSN
                                            250 CHUNKING
                                            May 5, 2022 08:12:50.590249062 CEST49770587192.168.2.4208.91.198.38STARTTLS
                                            May 5, 2022 08:12:50.787180901 CEST58749770208.91.198.38192.168.2.4220 2.0.0 Ready to start TLS

                                            Statistics

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:08:11:45
                                            Start date:05/05/2022
                                            Path:C:\Users\user\Desktop\aRmotFM1Zp.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\aRmotFM1Zp.exe"
                                            Imagebase:0xce0000
                                            File size:624640 bytes
                                            MD5 hash:5BBCC9D01BD32453756A8E65EDD2723A
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.296427062.0000000003051000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.303899433.0000000004BED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.303899433.0000000004BED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.298973097.0000000003275000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low

                                            General

                                            Target ID:3
                                            Start time:08:11:59
                                            Start date:05/05/2022
                                            Path:C:\Users\user\Desktop\aRmotFM1Zp.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\Desktop\aRmotFM1Zp.exe
                                            Imagebase:0x5a0000
                                            File size:624640 bytes
                                            MD5 hash:5BBCC9D01BD32453756A8E65EDD2723A
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.289976740.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.289976740.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.529873536.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.529873536.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.522484035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000002.522484035.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.291340877.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.291340877.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.290808406.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.290808406.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.289323287.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.289323287.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low

                                            General

                                            Target ID:13
                                            Start time:08:12:16
                                            Start date:05/05/2022
                                            Path:C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe"
                                            Imagebase:0xce0000
                                            File size:624640 bytes
                                            MD5 hash:5BBCC9D01BD32453756A8E65EDD2723A
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.369643217.0000000004C8D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000D.00000002.369643217.0000000004C8D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000D.00000002.364235592.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 0000000D.00000002.364734676.0000000003318000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Antivirus matches:
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 35%, Virustotal, Browse
                                            • Detection: 29%, ReversingLabs
                                            Reputation:low

                                            General

                                            Target ID:14
                                            Start time:08:12:26
                                            Start date:05/05/2022
                                            Path:C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe"
                                            Imagebase:0x2a0000
                                            File size:624640 bytes
                                            MD5 hash:5BBCC9D01BD32453756A8E65EDD2723A
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Reputation:low

                                            General

                                            Target ID:16
                                            Start time:08:12:29
                                            Start date:05/05/2022
                                            Path:C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\AppData\Roaming\HSpMzoJ\HSpMzoJ.exe
                                            Imagebase:0x7b0000
                                            File size:624640 bytes
                                            MD5 hash:5BBCC9D01BD32453756A8E65EDD2723A
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.522438754.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000010.00000002.522438754.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000000.352232161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000010.00000000.352232161.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000000.354545797.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000010.00000000.354545797.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000000.353714867.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000010.00000000.353714867.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000000.352943219.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000010.00000000.352943219.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.530370723.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.530370723.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low

                                            Disassembly

                                            No disassembly