Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
llcubnch6T

Overview

General Information

Sample Name:llcubnch6T (renamed file extension from none to exe)
Analysis ID:679479
MD5:44e407b3de4a9865ab747bdca810b0b9
SHA1:6eb199e6837432d8acb98c03b22277f340726372
SHA256:da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5
Tags:32exetrojan
Infos:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Yara detected AsyncRAT
Multi AV Scanner detection for dropped file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • llcubnch6T.exe (PID: 5324 cmdline: "C:\Users\user\Desktop\llcubnch6T.exe" MD5: 44E407B3DE4A9865AB747BDCA810B0B9)
    • powershell.exe (PID: 5040 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RhFYnHFgJ.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6132 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RhFYnHFgJ" /XML "C:\Users\user\AppData\Local\Temp\tmp95A0.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • llcubnch6T.exe (PID: 3720 cmdline: C:\Users\user\Desktop\llcubnch6T.exe MD5: 44E407B3DE4A9865AB747BDCA810B0B9)
  • cleanup

Malware Configuration

Threatname: AsyncRAT

{"Server": "91.193.75.135", "Ports": "3030", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.418726957.0000000003063000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000009.00000002.630822289.0000000003051000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x140ef:$x1: AsyncRAT
    • 0x1412d:$x1: AsyncRAT
    00000009.00000000.410857927.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      00000009.00000000.410857927.0000000000402000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
      • 0xa0d9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
      00000009.00000002.635757563.00000000055A6000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x8743:$x1: AsyncRAT
      • 0x8781:$x1: AsyncRAT
      Click to see the 7 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.llcubnch6T.exe.30fdb24.6.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        0.2.llcubnch6T.exe.30fdb24.6.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
        • 0x84d9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
        0.2.llcubnch6T.exe.310ae28.5.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          0.2.llcubnch6T.exe.310ae28.5.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
          • 0x84d9:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
          0.2.llcubnch6T.exe.30fdb24.6.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            Click to see the 10 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: llcubnch6T.exeVirustotal: Detection: 53%Perma Link
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\RhFYnHFgJ.exeReversingLabs: Detection: 53%
            Machine Learning detection for sample
            Source: llcubnch6T.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\RhFYnHFgJ.exeJoe Sandbox ML: detected
            Source: 00000000.00000002.419146088.00000000030EE000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "91.193.75.135", "Ports": "3030", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%"}
            Source: llcubnch6T.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: llcubnch6T.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: C:\Users\user\Desktop\llcubnch6T.exeCode function: 4x nop then jmp 010B5A17h

            Networking

            barindex
            Yara detected Generic Downloader
            Source: Yara matchFile source: 0.2.llcubnch6T.exe.30fdb24.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.llcubnch6T.exe.30ee614.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.llcubnch6T.exe.310ae28.5.raw.unpack, type: UNPACKEDPE
            Source: Joe Sandbox ViewIP Address: 91.193.75.135 91.193.75.135
            Source: global trafficTCP traffic: 192.168.2.6:49765 -> 91.193.75.135:3030
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: unknownTCP traffic detected without corresponding DNS query: 91.193.75.135
            Source: llcubnch6T.exe, 00000000.00000003.370486654.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.370416567.0000000005F77000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://en.w
            Source: llcubnch6T.exe, 00000000.00000003.369532282.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369672069.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369439345.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369755917.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369565571.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
            Source: llcubnch6T.exe, 00000000.00000003.369532282.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369344253.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369439345.0000000005F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.comi;
            Source: llcubnch6T.exe, 00000000.00000003.369532282.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369672069.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369755917.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369565571.0000000005F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.comz
            Source: llcubnch6T.exe, 00000000.00000002.418726957.0000000003063000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: llcubnch6T.exe, 00000000.00000003.373444862.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373397776.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373494865.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: llcubnch6T.exe, 00000000.00000003.376677530.0000000005F74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
            Source: llcubnch6T.exe, 00000000.00000003.374008369.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.374159108.0000000005F79000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.374208532.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373945445.0000000005F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comadD
            Source: llcubnch6T.exe, 00000000.00000003.374008369.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.374159108.0000000005F79000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.374208532.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373945445.0000000005F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comic
            Source: llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: llcubnch6T.exe, 00000000.00000003.379280133.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381656755.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381059048.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.378729506.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381273773.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.386539619.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379770002.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379922349.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379140386.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.378822721.0000000005F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: llcubnch6T.exe, 00000000.00000003.379622921.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379851679.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380056944.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379770002.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: llcubnch6T.exe, 00000000.00000003.380490931.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380611387.0000000005F70000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380236923.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380325146.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380749411.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380956167.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381059048.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381273773.0000000005F74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
            Source: llcubnch6T.exe, 00000000.00000003.381774652.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380749411.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381516393.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.382095894.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380956167.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381656755.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381059048.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381273773.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381931622.0000000005F74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comL.TTF
            Source: llcubnch6T.exe, 00000000.00000003.380490931.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380325146.0000000005F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma;
            Source: llcubnch6T.exe, 00000000.00000003.380611387.0000000005F70000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380749411.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381516393.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380956167.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381059048.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381273773.0000000005F74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalic
            Source: llcubnch6T.exe, 00000000.00000003.386884447.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.386656862.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.413372395.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.386539619.0000000005F74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comav;
            Source: llcubnch6T.exe, 00000000.00000003.386884447.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.386656862.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.386539619.0000000005F74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comceta
            Source: llcubnch6T.exe, 00000000.00000003.386884447.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.386656862.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.413372395.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.386539619.0000000005F74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcetoS;
            Source: llcubnch6T.exe, 00000000.00000003.379374870.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379622921.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379851679.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379548812.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379280133.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379770002.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379922349.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379140386.0000000005F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
            Source: llcubnch6T.exe, 00000000.00000003.379374870.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379622921.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379851679.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379548812.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379280133.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379770002.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379922349.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379140386.0000000005F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.come.com
            Source: llcubnch6T.exe, 00000000.00000003.379374870.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379548812.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379280133.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379140386.0000000005F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comepko
            Source: llcubnch6T.exe, 00000000.00000003.379374870.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379280133.0000000005F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comion
            Source: llcubnch6T.exe, 00000000.00000003.380490931.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380611387.0000000005F70000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380236923.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380325146.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380749411.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381516393.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380956167.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381059048.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381273773.0000000005F74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comituFv;
            Source: llcubnch6T.exe, 00000000.00000003.378729506.0000000005F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comnc.Z;
            Source: llcubnch6T.exe, 00000000.00000003.379622921.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379851679.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380056944.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379770002.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379922349.0000000005F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comonydZ;
            Source: llcubnch6T.exe, 00000000.00000003.380490931.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380611387.0000000005F70000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380325146.0000000005F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comsiv9
            Source: llcubnch6T.exe, 00000000.00000003.379851679.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380056944.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379770002.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379922349.0000000005F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comueta
            Source: llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: llcubnch6T.exe, 00000000.00000003.372828062.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372581826.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372713612.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372553600.0000000005F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: llcubnch6T.exe, 00000000.00000003.372828062.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372078011.0000000005F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
            Source: llcubnch6T.exe, 00000000.00000003.372183289.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372085870.0000000005F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/aj#W
            Source: llcubnch6T.exe, 00000000.00000003.372828062.0000000005F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/ar
            Source: llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: llcubnch6T.exe, 00000000.00000003.373045911.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372828062.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372992295.0000000005F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnMic
            Source: llcubnch6T.exe, 00000000.00000003.373045911.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372828062.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373098086.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372992295.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372713612.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373141901.0000000005F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnl-g
            Source: llcubnch6T.exe, 00000000.00000003.373045911.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372828062.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373098086.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372992295.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373257248.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372713612.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373141901.0000000005F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cns
            Source: llcubnch6T.exe, 00000000.00000003.382515419.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.383198382.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.383615585.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.382620508.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.383062477.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.383441888.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.383716381.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.382877880.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.382700986.0000000005F74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
            Source: llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: llcubnch6T.exe, 00000000.00000003.382515419.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.382620508.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.382700986.0000000005F74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/Z;
            Source: llcubnch6T.exe, 00000000.00000003.382620508.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: llcubnch6T.exe, 00000000.00000003.371976372.0000000005F70000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: llcubnch6T.exe, 00000000.00000003.371976372.0000000005F70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.krtp
            Source: llcubnch6T.exe, 00000000.00000003.377084125.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376932034.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.377017050.0000000005F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.itcfonts.
            Source: llcubnch6T.exe, 00000000.00000003.376677530.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.377578464.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376099331.0000000005F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: llcubnch6T.exe, 00000000.00000003.376766485.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376932034.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376589985.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376392718.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376159863.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376612294.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376304898.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376546388.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376677530.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376099331.0000000005F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/E;
            Source: llcubnch6T.exe, 00000000.00000003.376589985.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376392718.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376304898.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376546388.0000000005F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-sa;
            Source: llcubnch6T.exe, 00000000.00000003.376589985.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376392718.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376159863.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376612294.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376304898.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376546388.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376099331.0000000005F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0W
            Source: llcubnch6T.exe, 00000000.00000003.375863348.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.375712201.0000000005F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/de-d
            Source: llcubnch6T.exe, 00000000.00000003.376766485.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376932034.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376589985.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376612294.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376546388.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376677530.0000000005F74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/h;
            Source: llcubnch6T.exe, 00000000.00000003.376099331.0000000005F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: llcubnch6T.exe, 00000000.00000003.375863348.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.375712201.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.375949766.0000000005F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/knl
            Source: llcubnch6T.exe, 00000000.00000003.376392718.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376159863.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376304898.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376048892.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.375949766.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376099331.0000000005F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/lth;
            Source: llcubnch6T.exe, 00000000.00000003.376589985.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376392718.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376612294.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376304898.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376546388.0000000005F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/oi
            Source: llcubnch6T.exe, 00000000.00000003.376048892.0000000005F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/u-hE;
            Source: llcubnch6T.exe, 00000000.00000003.376589985.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376392718.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376159863.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376304898.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376048892.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376546388.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.375949766.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376099331.0000000005F71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/v;
            Source: llcubnch6T.exe, 00000000.00000003.367498032.0000000005F52000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: llcubnch6T.exe, 00000000.00000003.367498032.0000000005F52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com2
            Source: llcubnch6T.exe, 00000000.00000003.367498032.0000000005F52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.come
            Source: llcubnch6T.exe, 00000000.00000003.377084125.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376766485.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376932034.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.377017050.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.377194158.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376677530.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: llcubnch6T.exe, 00000000.00000003.376677530.0000000005F74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com0
            Source: llcubnch6T.exe, 00000000.00000003.371976372.0000000005F70000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372078011.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372146838.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.371863268.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: llcubnch6T.exe, 00000000.00000003.371976372.0000000005F70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kront
            Source: llcubnch6T.exe, 00000000.00000003.371976372.0000000005F70000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.krtp
            Source: llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: llcubnch6T.exe, 00000000.00000003.374266055.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.374439978.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.374621756.0000000005F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comslnt
            Source: llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: llcubnch6T.exe, 00000000.00000003.378274559.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.378415798.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380956167.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381059048.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.378491515.0000000005F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
            Source: llcubnch6T.exe, 00000000.00000003.378274559.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.378415798.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.378491515.0000000005F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deC
            Source: llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: llcubnch6T.exe, 00000000.00000003.380956167.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381059048.0000000005F73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deFT
            Source: llcubnch6T.exe, 00000000.00000003.378274559.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.378415798.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.378491515.0000000005F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deo$
            Source: llcubnch6T.exe, 00000000.00000003.373754624.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: llcubnch6T.exe, 00000000.00000003.373754624.0000000005F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnarS/
            Source: llcubnch6T.exe, 00000000.00000003.373754624.0000000005F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
            Source: llcubnch6T.exe, 00000000.00000003.373754624.0000000005F78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.f

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: 0.2.llcubnch6T.exe.30fdb24.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.llcubnch6T.exe.310ae28.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.llcubnch6T.exe.30fdb24.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.llcubnch6T.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.llcubnch6T.exe.30ee614.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.llcubnch6T.exe.310ae28.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000009.00000000.410857927.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.419146088.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: llcubnch6T.exe PID: 5324, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: llcubnch6T.exe PID: 3720, type: MEMORYSTR
            Source: llcubnch6T.exe, 00000000.00000002.414992989.000000000123B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 0.2.llcubnch6T.exe.30fdb24.6.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: 0.2.llcubnch6T.exe.310ae28.5.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: 0.2.llcubnch6T.exe.30fdb24.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: 9.0.llcubnch6T.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: 0.2.llcubnch6T.exe.30ee614.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: 0.2.llcubnch6T.exe.310ae28.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: 00000009.00000002.630822289.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000009.00000000.410857927.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: 00000009.00000002.635757563.00000000055A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000002.419146088.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: Process Memory Space: llcubnch6T.exe PID: 3720, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: Process Memory Space: llcubnch6T.exe PID: 3720, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: llcubnch6T.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 0.2.llcubnch6T.exe.30fdb24.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: 0.2.llcubnch6T.exe.310ae28.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: 0.2.llcubnch6T.exe.30fdb24.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: 9.0.llcubnch6T.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: 0.2.llcubnch6T.exe.30ee614.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: 0.2.llcubnch6T.exe.310ae28.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: 00000009.00000002.630822289.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000009.00000000.410857927.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: 00000009.00000002.635757563.00000000055A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000002.419146088.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: Process Memory Space: llcubnch6T.exe PID: 3720, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: Process Memory Space: llcubnch6T.exe PID: 3720, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: C:\Users\user\Desktop\llcubnch6T.exeCode function: 0_2_010BDF0C
            Source: llcubnch6T.exe, 00000000.00000002.427448862.0000000005F10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamePlates.dll4 vs llcubnch6T.exe
            Source: llcubnch6T.exe, 00000000.00000002.419675313.0000000004689000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSchedulingClerk.dll. vs llcubnch6T.exe
            Source: llcubnch6T.exe, 00000000.00000002.416245004.0000000002E81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFroor.dll4 vs llcubnch6T.exe
            Source: llcubnch6T.exe, 00000000.00000002.431213739.00000000060E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameFroor.dll4 vs llcubnch6T.exe
            Source: llcubnch6T.exe, 00000000.00000003.387819597.00000000012BF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePlates.dll4 vs llcubnch6T.exe
            Source: llcubnch6T.exe, 00000000.00000002.419146088.00000000030EE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename" vs llcubnch6T.exe
            Source: llcubnch6T.exe, 00000000.00000002.433660916.0000000008030000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSchedulingClerk.dll. vs llcubnch6T.exe
            Source: llcubnch6T.exe, 00000009.00000000.411378615.000000000040E000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename" vs llcubnch6T.exe
            Source: llcubnch6T.exeBinary or memory string: OriginalFilenameTypeLibVarFl.exe< vs llcubnch6T.exe
            Source: llcubnch6T.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: RhFYnHFgJ.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: llcubnch6T.exeVirustotal: Detection: 53%
            Source: C:\Users\user\Desktop\llcubnch6T.exeFile read: C:\Users\user\Desktop\llcubnch6T.exeJump to behavior
            Source: llcubnch6T.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\llcubnch6T.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\llcubnch6T.exe "C:\Users\user\Desktop\llcubnch6T.exe"
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RhFYnHFgJ.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RhFYnHFgJ" /XML "C:\Users\user\AppData\Local\Temp\tmp95A0.tmp
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess created: C:\Users\user\Desktop\llcubnch6T.exe C:\Users\user\Desktop\llcubnch6T.exe
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RhFYnHFgJ.exe
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RhFYnHFgJ" /XML "C:\Users\user\AppData\Local\Temp\tmp95A0.tmp
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess created: C:\Users\user\Desktop\llcubnch6T.exe C:\Users\user\Desktop\llcubnch6T.exe
            Source: C:\Users\user\Desktop\llcubnch6T.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
            Source: C:\Users\user\Desktop\llcubnch6T.exeFile created: C:\Users\user\AppData\Roaming\RhFYnHFgJ.exeJump to behavior
            Source: C:\Users\user\Desktop\llcubnch6T.exeFile created: C:\Users\user\AppData\Local\Temp\tmp95A0.tmpJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@9/8@0/1
            Source: C:\Users\user\Desktop\llcubnch6T.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: llcubnch6T.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\llcubnch6T.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\llcubnch6T.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5308:120:WilError_01
            Source: C:\Users\user\Desktop\llcubnch6T.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1672:120:WilError_01
            Source: llcubnch6T.exe, Login.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: RhFYnHFgJ.exe.0.dr, Login.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 0.0.llcubnch6T.exe.a30000.0.unpack, Login.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\llcubnch6T.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: llcubnch6T.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: llcubnch6T.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: llcubnch6T.exe, Login.cs.Net Code: WaitHandle System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: RhFYnHFgJ.exe.0.dr, Login.cs.Net Code: WaitHandle System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 0.0.llcubnch6T.exe.a30000.0.unpack, Login.cs.Net Code: WaitHandle System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: initial sampleStatic PE information: section name: .text entropy: 7.2738007120716635
            Source: initial sampleStatic PE information: section name: .text entropy: 7.2738007120716635
            Source: C:\Users\user\Desktop\llcubnch6T.exeFile created: C:\Users\user\AppData\Roaming\RhFYnHFgJ.exeJump to dropped file

            Boot Survival

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: 0.2.llcubnch6T.exe.30fdb24.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.llcubnch6T.exe.310ae28.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.llcubnch6T.exe.30fdb24.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.llcubnch6T.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.llcubnch6T.exe.30ee614.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.llcubnch6T.exe.310ae28.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000009.00000000.410857927.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.419146088.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: llcubnch6T.exe PID: 5324, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: llcubnch6T.exe PID: 3720, type: MEMORYSTR
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RhFYnHFgJ" /XML "C:\Users\user\AppData\Local\Temp\tmp95A0.tmp
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: 00000000.00000002.418726957.0000000003063000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: llcubnch6T.exe PID: 5324, type: MEMORYSTR
            Yara detected AsyncRAT
            Source: Yara matchFile source: 0.2.llcubnch6T.exe.30fdb24.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.llcubnch6T.exe.310ae28.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.llcubnch6T.exe.30fdb24.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.llcubnch6T.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.llcubnch6T.exe.30ee614.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.llcubnch6T.exe.310ae28.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000009.00000000.410857927.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.419146088.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: llcubnch6T.exe PID: 5324, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: llcubnch6T.exe PID: 3720, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: llcubnch6T.exe, 00000000.00000002.418726957.0000000003063000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.419146088.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000009.00000000.410857927.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
            Source: llcubnch6T.exe, 00000000.00000002.418726957.0000000003063000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Source: C:\Users\user\Desktop\llcubnch6T.exe TID: 5396Thread sleep time: -45877s >= -30000s
            Source: C:\Users\user\Desktop\llcubnch6T.exe TID: 2952Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3716Thread sleep time: -4611686018427385s >= -30000s
            Source: C:\Users\user\Desktop\llcubnch6T.exe TID: 3772Thread sleep time: -65000s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\llcubnch6T.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\llcubnch6T.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8958
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeThread delayed: delay time: 45877
            Source: C:\Users\user\Desktop\llcubnch6T.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\llcubnch6T.exeFile Volume queried: C:\ FullSizeInformation
            Source: llcubnch6T.exe, 00000000.00000002.418726957.0000000003063000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: llcubnch6T.exe, 00000009.00000000.410857927.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
            Source: llcubnch6T.exe, 00000000.00000002.418726957.0000000003063000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
            Source: llcubnch6T.exe, 00000009.00000002.635815470.00000000055BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: llcubnch6T.exe, 00000000.00000002.418726957.0000000003063000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\llcubnch6T.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\llcubnch6T.exeMemory written: C:\Users\user\Desktop\llcubnch6T.exe base: 400000 value starts with: 4D5A
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RhFYnHFgJ.exe
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RhFYnHFgJ.exe
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RhFYnHFgJ.exe
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RhFYnHFgJ" /XML "C:\Users\user\AppData\Local\Temp\tmp95A0.tmp
            Source: C:\Users\user\Desktop\llcubnch6T.exeProcess created: C:\Users\user\Desktop\llcubnch6T.exe C:\Users\user\Desktop\llcubnch6T.exe
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Users\user\Desktop\llcubnch6T.exe VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeQueries volume information: C:\Users\user\Desktop\llcubnch6T.exe VolumeInformation
            Source: C:\Users\user\Desktop\llcubnch6T.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: 0.2.llcubnch6T.exe.30fdb24.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.llcubnch6T.exe.310ae28.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.llcubnch6T.exe.30fdb24.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.llcubnch6T.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.llcubnch6T.exe.30ee614.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.llcubnch6T.exe.310ae28.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000009.00000000.410857927.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.419146088.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: llcubnch6T.exe PID: 5324, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: llcubnch6T.exe PID: 3720, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts2
            Scheduled Task/Job            		2
            Scheduled Task/Job            		111
            Process Injection            		1
            Masquerading            		1
            Input Capture            		21
            Security Software Discovery            		Remote Services1
            Input Capture            		Exfiltration Over Other Network Medium1
            Encrypted Channel            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts2
            Scheduled Task/Job            		11
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop Protocol11
            Archive Collected Data            		Exfiltration Over Bluetooth1
            Non-Standard Port            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
            Virtualization/Sandbox Evasion            		Security Account Manager21
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common12
            Obfuscated Files or Information            		Cached Domain Credentials13
            System Information Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items12
            Software Packing            		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            llcubnch6T.exe54%VirustotalBrowse
            llcubnch6T.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\RhFYnHFgJ.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\RhFYnHFgJ.exe54%ReversingLabsByteCode-MSIL.Trojan.FormBook

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            9.0.llcubnch6T.exe.400000.0.unpack100%AviraHEUR/AGEN.1202836Download File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.jiyu-kobo.co.jp/v;0%Avira URL Cloudsafe
            http://www.sajatypeworks.com20%URL Reputationsafe
            http://www.fontbureau.comonydZ;0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.fontbureau.comituFv;0%Avira URL Cloudsafe
            http://fontfabrik.comi;0%Avira URL Cloudsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/E;0%Avira URL Cloudsafe
            http://www.fontbureau.comceta0%URL Reputationsafe
            http://www.sandoll.co.kront0%Avira URL Cloudsafe
            http://www.fontbureau.comepko0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/knl0%Avira URL Cloudsafe
            http://www.fontbureau.comsiv90%Avira URL Cloudsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.zhongyicts.com.cnarS/0%Avira URL Cloudsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.founder.com.cn/cnl-g0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Y0-sa;0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/lth;0%Avira URL Cloudsafe
            http://fontfabrik.comz0%Avira URL Cloudsafe
            http://www.founder.com.cn/cns0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/Y0W0%Avira URL Cloudsafe
            http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
            http://www.itcfonts.0%URL Reputationsafe
            http://www.urwpp.deFT0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.fontbureau.comnc.Z;0%Avira URL Cloudsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.sandoll.co.krtp0%Avira URL Cloudsafe
            http://www.urwpp.de0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sajatypeworks.come0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.carterandcone.comic0%URL Reputationsafe
            http://www.founder.com.cn/cnMic0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/0%URL Reputationsafe
            http://www.fontbureau.comF0%URL Reputationsafe
            http://www.tiro.comslnt0%URL Reputationsafe
            http://www.founder.com.cn/cn/ar0%Avira URL Cloudsafe
            http://www.fontbureau.comueta0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/h;0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn/aj#W0%Avira URL Cloudsafe
            http://www.carterandcone.comadD0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/u-hE;0%Avira URL Cloudsafe
            http://www.fontbureau.comion0%URL Reputationsafe
            http://www.fontbureau.comL.TTF0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/oi0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
            http://www.fontbureau.comd0%URL Reputationsafe
            http://www.fontbureau.come.com0%URL Reputationsafe
            http://en.w0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.urwpp.deC0%URL Reputationsafe
            http://www.founder.com.cn/cn/0%URL Reputationsafe
            http://www.sakkal.com00%Avira URL Cloudsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.goodfont.co.krtp0%Avira URL Cloudsafe
            http://www.fontbureau.coma;0%Avira URL Cloudsafe
            http://www.urwpp.deo$0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.fontbureau.comcetoS;0%Avira URL Cloudsafe
            http://www.zhongyicts.com.cno.0%URL Reputationsafe
            http://www.fontbureau.comalic0%URL Reputationsafe
            http://www.fontbureau.comav;0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/Z;0%Avira URL Cloudsafe
            http://www.zhongyicts.com.cno.f0%Avira URL Cloudsafe
            http://www.jiyu-kobo.co.jp/de-d0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.fontbureau.com/designersGllcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.jiyu-kobo.co.jp/v;llcubnch6T.exe, 00000000.00000003.376589985.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376392718.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376159863.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376304898.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376048892.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376546388.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.375949766.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376099331.0000000005F71000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.sajatypeworks.com2llcubnch6T.exe, 00000000.00000003.367498032.0000000005F52000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.fontbureau.com/designers/?llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.fontbureau.comonydZ;llcubnch6T.exe, 00000000.00000003.379622921.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379851679.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380056944.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379770002.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379922349.0000000005F73000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://www.founder.com.cn/cn/bThellcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers?llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.comituFv;llcubnch6T.exe, 00000000.00000003.380490931.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380611387.0000000005F70000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380236923.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380325146.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380749411.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381516393.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380956167.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381059048.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381273773.0000000005F74000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  http://fontfabrik.comi;llcubnch6T.exe, 00000000.00000003.369532282.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369344253.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369439345.0000000005F73000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  http://www.tiro.comllcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.jiyu-kobo.co.jp/E;llcubnch6T.exe, 00000000.00000003.376766485.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376932034.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376589985.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376392718.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376159863.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376612294.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376304898.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376546388.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376677530.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376099331.0000000005F71000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fontbureau.comcetallcubnch6T.exe, 00000000.00000003.386884447.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.386656862.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.386539619.0000000005F74000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.sandoll.co.krontllcubnch6T.exe, 00000000.00000003.371976372.0000000005F70000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.fontbureau.com/designersllcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.comepkollcubnch6T.exe, 00000000.00000003.379374870.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379548812.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379280133.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379140386.0000000005F73000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.goodfont.co.krllcubnch6T.exe, 00000000.00000003.371976372.0000000005F70000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/knlllcubnch6T.exe, 00000000.00000003.375863348.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.375712201.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.375949766.0000000005F73000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fontbureau.comsiv9llcubnch6T.exe, 00000000.00000003.380490931.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380611387.0000000005F70000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380325146.0000000005F73000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.sajatypeworks.comllcubnch6T.exe, 00000000.00000003.367498032.0000000005F52000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netDllcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/cThellcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htmllcubnch6T.exe, 00000000.00000003.382620508.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.zhongyicts.com.cnarS/llcubnch6T.exe, 00000000.00000003.373754624.0000000005F78000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://fontfabrik.comllcubnch6T.exe, 00000000.00000003.369532282.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369672069.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369439345.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369755917.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369565571.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cnl-gllcubnch6T.exe, 00000000.00000003.373045911.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372828062.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373098086.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372992295.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372713612.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373141901.0000000005F78000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/Y0-sa;llcubnch6T.exe, 00000000.00000003.376589985.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376392718.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376304898.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376546388.0000000005F73000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/lth;llcubnch6T.exe, 00000000.00000003.376392718.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376159863.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376304898.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376048892.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.375949766.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376099331.0000000005F71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://fontfabrik.comzllcubnch6T.exe, 00000000.00000003.369532282.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369672069.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369755917.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.369565571.0000000005F73000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.founder.com.cn/cnsllcubnch6T.exe, 00000000.00000003.373045911.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372828062.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373098086.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372992295.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373257248.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372713612.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373141901.0000000005F78000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/DPleasellcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/Y0Wllcubnch6T.exe, 00000000.00000003.376589985.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376392718.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376159863.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376612294.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376304898.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376546388.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376099331.0000000005F71000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.ascendercorp.com/typedesigners.htmlllcubnch6T.exe, 00000000.00000003.376677530.0000000005F74000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.itcfonts.llcubnch6T.exe, 00000000.00000003.377084125.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376932034.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.377017050.0000000005F73000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.urwpp.deFTllcubnch6T.exe, 00000000.00000003.380956167.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381059048.0000000005F73000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fonts.comllcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.sandoll.co.krllcubnch6T.exe, 00000000.00000003.371976372.0000000005F70000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372078011.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372146838.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.371863268.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.comnc.Z;llcubnch6T.exe, 00000000.00000003.378729506.0000000005F73000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.urwpp.deDPleasellcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sandoll.co.krtpllcubnch6T.exe, 00000000.00000003.371976372.0000000005F70000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.urwpp.dellcubnch6T.exe, 00000000.00000003.378274559.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.378415798.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380956167.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381059048.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.378491515.0000000005F72000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.zhongyicts.com.cnllcubnch6T.exe, 00000000.00000003.373754624.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namellcubnch6T.exe, 00000000.00000002.418726957.0000000003063000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.sajatypeworks.comellcubnch6T.exe, 00000000.00000003.367498032.0000000005F52000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.sakkal.comllcubnch6T.exe, 00000000.00000003.377084125.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376766485.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376932034.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.377017050.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.377194158.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376677530.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.carterandcone.comicllcubnch6T.exe, 00000000.00000003.374008369.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.374159108.0000000005F79000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.374208532.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373945445.0000000005F78000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.apache.org/licenses/LICENSE-2.0llcubnch6T.exe, 00000000.00000003.373444862.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373397776.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373494865.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.comllcubnch6T.exe, 00000000.00000003.379280133.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381656755.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381059048.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.378729506.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381273773.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.386539619.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379770002.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379922349.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379140386.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.378822721.0000000005F73000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cnMicllcubnch6T.exe, 00000000.00000003.373045911.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372828062.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372992295.0000000005F78000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.galapagosdesign.com/llcubnch6T.exe, 00000000.00000003.382515419.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.383198382.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.383615585.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.382620508.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.383062477.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.383441888.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.383716381.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.382877880.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.382700986.0000000005F74000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comFllcubnch6T.exe, 00000000.00000003.380490931.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380611387.0000000005F70000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380236923.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380325146.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380749411.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380956167.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381059048.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381273773.0000000005F74000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.tiro.comslntllcubnch6T.exe, 00000000.00000003.374266055.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.374439978.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.374621756.0000000005F73000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn/arllcubnch6T.exe, 00000000.00000003.372828062.0000000005F71000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.comuetallcubnch6T.exe, 00000000.00000003.379851679.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380056944.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379770002.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379922349.0000000005F73000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/h;llcubnch6T.exe, 00000000.00000003.376766485.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376932034.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376589985.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376612294.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376546388.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376677530.0000000005F74000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.founder.com.cn/cn/aj#Wllcubnch6T.exe, 00000000.00000003.372183289.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372085870.0000000005F78000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.carterandcone.comadDllcubnch6T.exe, 00000000.00000003.374008369.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.374159108.0000000005F79000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.374208532.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.373945445.0000000005F78000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/u-hE;llcubnch6T.exe, 00000000.00000003.376048892.0000000005F72000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.comionllcubnch6T.exe, 00000000.00000003.379374870.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379280133.0000000005F73000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comL.TTFllcubnch6T.exe, 00000000.00000003.381774652.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380749411.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381516393.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.382095894.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380956167.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381656755.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381059048.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381273773.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381931622.0000000005F74000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/oillcubnch6T.exe, 00000000.00000003.376589985.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376392718.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376612294.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376304898.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376546388.0000000005F73000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.jiyu-kobo.co.jp/jp/llcubnch6T.exe, 00000000.00000003.376099331.0000000005F71000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.comdllcubnch6T.exe, 00000000.00000003.379374870.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379622921.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379851679.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379548812.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379280133.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379770002.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379922349.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379140386.0000000005F73000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.come.comllcubnch6T.exe, 00000000.00000003.379374870.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379622921.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379851679.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379548812.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379280133.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379770002.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379922349.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379140386.0000000005F73000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://en.wllcubnch6T.exe, 00000000.00000003.370486654.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.370416567.0000000005F77000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.carterandcone.comlllcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.urwpp.deCllcubnch6T.exe, 00000000.00000003.378274559.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.378415798.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.378491515.0000000005F72000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn/llcubnch6T.exe, 00000000.00000003.372828062.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372078011.0000000005F73000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNllcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.sakkal.com0llcubnch6T.exe, 00000000.00000003.376677530.0000000005F74000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.founder.com.cn/cnllcubnch6T.exe, 00000000.00000003.372828062.0000000005F71000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372581826.0000000005F78000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372713612.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.372553600.0000000005F78000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.goodfont.co.krtpllcubnch6T.exe, 00000000.00000003.371976372.0000000005F70000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/designers/frere-jones.htmlllcubnch6T.exe, 00000000.00000003.379622921.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379851679.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380056944.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.379770002.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.coma;llcubnch6T.exe, 00000000.00000003.380490931.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380325146.0000000005F73000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://www.urwpp.deo$llcubnch6T.exe, 00000000.00000003.378274559.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.378415798.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.378491515.0000000005F72000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://www.jiyu-kobo.co.jp/llcubnch6T.exe, 00000000.00000003.376677530.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.377578464.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.376099331.0000000005F71000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comcetoS;llcubnch6T.exe, 00000000.00000003.386884447.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.386656862.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.413372395.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.386539619.0000000005F74000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://www.zhongyicts.com.cno.llcubnch6T.exe, 00000000.00000003.373754624.0000000005F78000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers8llcubnch6T.exe, 00000000.00000002.432126891.0000000007252000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.comalicllcubnch6T.exe, 00000000.00000003.380611387.0000000005F70000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380749411.0000000005F72000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381516393.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.380956167.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381059048.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.381273773.0000000005F74000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comav;llcubnch6T.exe, 00000000.00000003.386884447.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.386656862.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.413372395.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.386539619.0000000005F74000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://www.galapagosdesign.com/Z;llcubnch6T.exe, 00000000.00000003.382515419.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.382620508.0000000005F74000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.382700986.0000000005F74000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.zhongyicts.com.cno.fllcubnch6T.exe, 00000000.00000003.373754624.0000000005F78000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/de-dllcubnch6T.exe, 00000000.00000003.375863348.0000000005F73000.00000004.00000800.00020000.00000000.sdmp, llcubnch6T.exe, 00000000.00000003.375712201.0000000005F73000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  91.193.75.135
                                  		unknownSerbia
                                  		209623DAVID_CRAIGGGfalse

                                  General Information

                                  Joe Sandbox Version:35.0.0 Citrine
                                  Analysis ID:679479
                                  Start date and time: 05/08/202221:06:112022-08-05 21:06:11 +02:00
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 8m 20s
                                  Hypervisor based Inspection enabled:false
                                  Report type:light
                                  Sample file name:llcubnch6T (renamed file extension from none to exe)
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:26
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@9/8@0/1
                                  EGA Information:
                                  • Successful, ratio: 50%
                                  HDC Information:Failed
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 0
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Adjust boot time
                                  • Enable AMSI

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                  • Excluded IPs from analysis (whitelisted): 23.211.6.115
                                  • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
                                  • Execution Graph export aborted for target llcubnch6T.exe, PID 3720 because it is empty
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  21:07:33API Interceptor1x Sleep call for process: llcubnch6T.exe modified
                                  21:07:40API Interceptor40x Sleep call for process: powershell.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASNs

                                  No context

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\llcubnch6T.exe.log

                                  Download File
                                  Process:C:\Users\user\Desktop\llcubnch6T.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:modified
                                  Size (bytes):1394
                                  Entropy (8bit):5.340883346054895
                                  Encrypted:false
                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4bE4KnKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84F0:MIHK5HKXE1qHbHKnYHKhQnoPtHoxHhAR
                                  MD5:B51A52A837298BCF7A6EB58551AEF99C
                                  SHA1:61EEFCC20AC255B8651769E5C48E27B2A983FC4A
                                  SHA-256:1D393FBB3CE754EA699462C2778587A7F2451EB23BE2BD5084C95A46B20BE8AF
                                  SHA-512:138544399787651C847837719606197E539857206CCB271E0F4A86E2017FBADABADF5A235B6F6F1DA8ADE7EF29DBA3115CD1996AD01F92CA30C57D0BF217C11C
                                  Malicious:true
                                  Reputation:moderate, very likely benign file
                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e08

                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):22272
                                  Entropy (8bit):5.600170087985691
                                  Encrypted:false
                                  SSDEEP:384:ntCDDq0C6VKa/G/KBJYSB+sjultI+b7Y9g9SJ3xa1BMrm7Z1AV7Dw64I+iyYB:va/QOY4dClth79cBa4+M
                                  MD5:E6BC308E44F52713322480EE725334CB
                                  SHA1:57423595B636FC70CF53EB29D227CB6B9BC42F8E
                                  SHA-256:C581CF1C3C82F6B2DF7CD852361A0466AC85172BEC6E34D9655A6C18667BBEC7
                                  SHA-512:E4904783464A21408255C32364441F3741BF9544182F57CF7A14946E6AFC100F16D8CF3089F155AA4A08E4E65FF246F20517C7E1FE6DB962801CC6619ADBE19D
                                  Malicious:false
                                  Reputation:low
                                  Preview:@...e...........y...................>.y..............@..........H...............<@.^.L."My...:P..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3wwz4tj5.5nu.psm1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:very short file (no magic)
                                  Category:dropped
                                  Size (bytes):1
                                  Entropy (8bit):0.0
                                  Encrypted:false
                                  SSDEEP:3:U:U
                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                  Malicious:false
                                  Reputation:high, very likely benign file
                                  Preview:1

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d1zr1t5y.vgy.ps1

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:very short file (no magic)
                                  Category:dropped
                                  Size (bytes):1
                                  Entropy (8bit):0.0
                                  Encrypted:false
                                  SSDEEP:3:U:U
                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                  Malicious:false
                                  Preview:1

                                  C:\Users\user\AppData\Local\Temp\tmp95A0.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\llcubnch6T.exe
                                  File Type:XML 1.0 document, ASCII text
                                  Category:dropped
                                  Size (bytes):1608
                                  Entropy (8bit):5.124455319747427
                                  Encrypted:false
                                  SSDEEP:24:2di4+S2qh/S1K2ky1mo2dUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLPaxvn:cgea6YrFdOFzOzN33ODOiDdKrsuTzuv
                                  MD5:0E2E547022BB8168544A3BD4F03B80DF
                                  SHA1:231F190A8B0CE5A7C8BE4346172F48D342B44234
                                  SHA-256:7B1A5B157DD8468BA308482C17F6451096304542DCAA29CF568026DCF494BC60
                                  SHA-512:2FE546649789F3022A8E3606F21199FCFCDBB0E493830556B87D9887A61717D65C2E3A763DF805216320D1A08A2408CCF00F714D212268E5B049940BE2A03BDF
                                  Malicious:true
                                  Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>computer\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>computer\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>computer\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailab

                                  C:\Users\user\AppData\Roaming\RhFYnHFgJ.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\llcubnch6T.exe
                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):621056
                                  Entropy (8bit):7.267556524859017
                                  Encrypted:false
                                  SSDEEP:12288:4H2iNSg6SKlpxxDAE7Mn3cs9OWvHoFiPEwjlk2Y/gbb:81SLlpxx8EEc85oFaj22p
                                  MD5:44E407B3DE4A9865AB747BDCA810B0B9
                                  SHA1:6EB199E6837432D8ACB98C03B22277F340726372
                                  SHA-256:DA6ABB6F3AAE250D50ED09B6EACC267C33E50895E3EBD7E6BA800AB018351EC5
                                  SHA-512:DB8E1652A6E8D90450114641F3573B9423BCE4C27C237AF49A59DC44ACF929580CDF59E5C216391EF87C27C52FC610653D19BCE2D1507E4D8F310B7D6DEE8A4B
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 54%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.b..............0..r..........b.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...hq... ...r.................. ..`.rsrc................t..............@..@.reloc...............x..............@..B................D.......H............S......B.......@...........................................^..}.....(.......(.....*.0..+.........,..{.......+....,...{....o........(.....*..0................(....s......s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....{....o......{....o......(......{.....o .....{....o!...."...Bs"...o#...&.{....o!...."...Bs"...o#...&.{....o$....{......o%.....{....o$....{......o%.....{....o$....{......o%.....{....o$....{......o%.....{....o$...

                                  C:\Users\user\AppData\Roaming\RhFYnHFgJ.exe:Zone.Identifier

                                  Download File
                                  Process:C:\Users\user\Desktop\llcubnch6T.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):26
                                  Entropy (8bit):3.95006375643621
                                  Encrypted:false
                                  SSDEEP:3:ggPYV:rPYV
                                  MD5:187F488E27DB4AF347237FE461A079AD
                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                  Malicious:true
                                  Preview:[ZoneTransfer]....ZoneId=0

                                  C:\Users\user\Documents\20220805\PowerShell_transcript.724471.0b0YCxHN.20220805210738.txt

                                  Download File
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):5815
                                  Entropy (8bit):5.37547468273822
                                  Encrypted:false
                                  SSDEEP:96:BZDTL5NKCqDo1ZSGZiTL5NKCqDo1ZE39PjZiTL5NKCqDo1ZEG//hZ+:7
                                  MD5:599FC2C562BB7B72B0592FCDFA20F17F
                                  SHA1:22D5820DE1296A150D38D950EFE7540DEF5672C1
                                  SHA-256:227A4D6538B52B6061A7960A5F9B9795AB1773C2752EEF201CFCD5B85E38E274
                                  SHA-512:C95070EF3920CCAC7689EB27A953C13DAE36173DF17D36194D0BBA930BC0FDFA470C559EE5713F53D2EF26D0D9F1107079E710A8DE326EA3E6AF045BAE1CB99D
                                  Malicious:false
                                  Preview:.**********************..Windows PowerShell transcript start..Start time: 20220805210740..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 724471 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\RhFYnHFgJ.exe..Process ID: 5040..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20220805210740..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\RhFYnHFgJ.exe..**********************..Windows PowerShell transcript start..Start time: 20220805211241..Username: computer\user..RunAs User: DESKTOP

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):7.267556524859017
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  • DOS Executable Generic (2002/1) 0.01%
                                  File name:llcubnch6T.exe
                                  File size:621056
                                  MD5:44e407b3de4a9865ab747bdca810b0b9
                                  SHA1:6eb199e6837432d8acb98c03b22277f340726372
                                  SHA256:da6abb6f3aae250d50ed09b6eacc267c33e50895e3ebd7e6ba800ab018351ec5
                                  SHA512:db8e1652a6e8d90450114641f3573b9423bce4c27c237af49a59dc44acf929580cdf59e5c216391ef87c27c52fc610653d19bce2d1507e4d8f310b7d6dee8a4b
                                  SSDEEP:12288:4H2iNSg6SKlpxxDAE7Mn3cs9OWvHoFiPEwjlk2Y/gbb:81SLlpxx8EEc85oFaj22p
                                  TLSH:52D4E082F2694F5BC0274BF9AC2594581727B39E503DD6096DFEB8EBA0727C34152E0B
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.b..............0..r..........b.... ........@.. ....................................@................................

                                  File Icon

                                  Icon Hash:00828e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0x499162
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x62E773E6 [Mon Aug 1 06:34:14 2022 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x991100x4f.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x9a0000x3a8.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x9c0000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000x971680x97200False0.7348273366418527data7.2738007120716635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rsrc0x9a0000x3a80x400False0.38671875data2.9730132767456556IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x9c0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountry
                                  RT_VERSION0x9a0580x34cdata

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Network Behavior

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Aug 5, 2022 21:07:53.229300022 CEST497653030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:07:53.269311905 CEST30304976591.193.75.135192.168.2.6
                                  Aug 5, 2022 21:07:53.830010891 CEST497653030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:07:53.869882107 CEST30304976591.193.75.135192.168.2.6
                                  Aug 5, 2022 21:07:54.523250103 CEST497653030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:07:54.563241959 CEST30304976591.193.75.135192.168.2.6
                                  Aug 5, 2022 21:07:59.581712961 CEST497773030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:07:59.621660948 CEST30304977791.193.75.135192.168.2.6
                                  Aug 5, 2022 21:08:00.129159927 CEST497773030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:08:00.169723034 CEST30304977791.193.75.135192.168.2.6
                                  Aug 5, 2022 21:08:00.674324989 CEST497773030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:08:00.714421988 CEST30304977791.193.75.135192.168.2.6
                                  Aug 5, 2022 21:08:05.723584890 CEST497793030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:08:05.763652086 CEST30304977991.193.75.135192.168.2.6
                                  Aug 5, 2022 21:08:06.268538952 CEST497793030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:08:06.308541059 CEST30304977991.193.75.135192.168.2.6
                                  Aug 5, 2022 21:08:06.815474033 CEST497793030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:08:06.858010054 CEST30304977991.193.75.135192.168.2.6
                                  Aug 5, 2022 21:08:11.866844893 CEST497843030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:08:11.907004118 CEST30304978491.193.75.135192.168.2.6
                                  Aug 5, 2022 21:08:12.534842014 CEST497843030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:08:12.575058937 CEST30304978491.193.75.135192.168.2.6
                                  Aug 5, 2022 21:08:13.222290993 CEST497843030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:08:13.262275934 CEST30304978491.193.75.135192.168.2.6
                                  Aug 5, 2022 21:08:18.270786047 CEST497873030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:08:18.311213017 CEST30304978791.193.75.135192.168.2.6
                                  Aug 5, 2022 21:08:18.832133055 CEST497873030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:08:18.872239113 CEST30304978791.193.75.135192.168.2.6
                                  Aug 5, 2022 21:08:19.439817905 CEST497873030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:08:19.479929924 CEST30304978791.193.75.135192.168.2.6
                                  Aug 5, 2022 21:08:24.489988089 CEST497943030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:08:24.530139923 CEST30304979491.193.75.135192.168.2.6
                                  Aug 5, 2022 21:08:25.035784960 CEST497943030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:08:25.075980902 CEST30304979491.193.75.135192.168.2.6
                                  Aug 5, 2022 21:08:25.582756996 CEST497943030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:08:25.622864962 CEST30304979491.193.75.135192.168.2.6
                                  Aug 5, 2022 21:08:30.632461071 CEST497973030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:08:30.672374010 CEST30304979791.193.75.135192.168.2.6
                                  Aug 5, 2022 21:08:31.223885059 CEST497973030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:08:31.263833046 CEST30304979791.193.75.135192.168.2.6
                                  Aug 5, 2022 21:08:31.926997900 CEST497973030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:08:31.967113018 CEST30304979791.193.75.135192.168.2.6
                                  Aug 5, 2022 21:08:36.977118015 CEST497983030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:08:37.017225027 CEST30304979891.193.75.135192.168.2.6
                                  Aug 5, 2022 21:08:37.615282059 CEST497983030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:08:37.655406952 CEST30304979891.193.75.135192.168.2.6
                                  Aug 5, 2022 21:08:38.161915064 CEST497983030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:08:38.202013016 CEST30304979891.193.75.135192.168.2.6
                                  Aug 5, 2022 21:08:43.210587025 CEST498003030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:08:43.250809908 CEST30304980091.193.75.135192.168.2.6
                                  Aug 5, 2022 21:08:43.756254911 CEST498003030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:08:43.796329021 CEST30304980091.193.75.135192.168.2.6
                                  Aug 5, 2022 21:08:44.459325075 CEST498003030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:08:44.499526024 CEST30304980091.193.75.135192.168.2.6
                                  Aug 5, 2022 21:08:49.509156942 CEST498163030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:08:49.549237013 CEST30304981691.193.75.135192.168.2.6
                                  Aug 5, 2022 21:08:50.148332119 CEST498163030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:08:50.188297033 CEST30304981691.193.75.135192.168.2.6
                                  Aug 5, 2022 21:08:50.750245094 CEST498163030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:08:50.790303946 CEST30304981691.193.75.135192.168.2.6
                                  Aug 5, 2022 21:08:55.806442976 CEST498453030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:08:55.846424103 CEST30304984591.193.75.135192.168.2.6
                                  Aug 5, 2022 21:08:56.360430002 CEST498453030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:08:56.400496960 CEST30304984591.193.75.135192.168.2.6
                                  Aug 5, 2022 21:08:56.962353945 CEST498453030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:08:57.002532959 CEST30304984591.193.75.135192.168.2.6
                                  Aug 5, 2022 21:09:02.585449934 CEST498543030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:09:02.625430107 CEST30304985491.193.75.135192.168.2.6
                                  Aug 5, 2022 21:09:03.259737968 CEST498543030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:09:03.299568892 CEST30304985491.193.75.135192.168.2.6
                                  Aug 5, 2022 21:09:03.947386980 CEST498543030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:09:03.987705946 CEST30304985491.193.75.135192.168.2.6
                                  Aug 5, 2022 21:09:08.997055054 CEST498593030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:09:09.038681984 CEST30304985991.193.75.135192.168.2.6
                                  Aug 5, 2022 21:09:09.541527033 CEST498593030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:09:09.581378937 CEST30304985991.193.75.135192.168.2.6
                                  Aug 5, 2022 21:09:10.088469982 CEST498593030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:09:10.128552914 CEST30304985991.193.75.135192.168.2.6
                                  Aug 5, 2022 21:09:15.136780977 CEST498703030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:09:15.176758051 CEST30304987091.193.75.135192.168.2.6
                                  Aug 5, 2022 21:09:15.682686090 CEST498703030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:09:15.722548962 CEST30304987091.193.75.135192.168.2.6
                                  Aug 5, 2022 21:09:16.229609013 CEST498703030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:09:16.269427061 CEST30304987091.193.75.135192.168.2.6
                                  Aug 5, 2022 21:09:21.278151035 CEST498833030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:09:21.318515062 CEST30304988391.193.75.135192.168.2.6
                                  Aug 5, 2022 21:09:21.855076075 CEST498833030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:09:21.895132065 CEST30304988391.193.75.135192.168.2.6
                                  Aug 5, 2022 21:09:22.558250904 CEST498833030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:09:22.598500967 CEST30304988391.193.75.135192.168.2.6
                                  Aug 5, 2022 21:09:27.606158018 CEST498853030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:09:27.646354914 CEST30304988591.193.75.135192.168.2.6
                                  Aug 5, 2022 21:09:28.152470112 CEST498853030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:09:28.192559004 CEST30304988591.193.75.135192.168.2.6
                                  Aug 5, 2022 21:09:28.699387074 CEST498853030192.168.2.691.193.75.135
                                  Aug 5, 2022 21:09:28.739516973 CEST30304988591.193.75.135192.168.2.6

                                  Statistics

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:21:07:20
                                  Start date:05/08/2022
                                  Path:C:\Users\user\Desktop\llcubnch6T.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\llcubnch6T.exe"
                                  Imagebase:0xa30000
                                  File size:621056 bytes
                                  MD5 hash:44E407B3DE4A9865AB747BDCA810B0B9
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.418726957.0000000003063000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.419146088.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.419146088.00000000030EE000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                  Reputation:low

                                  General

                                  Target ID:5
                                  Start time:21:07:36
                                  Start date:05/08/2022
                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RhFYnHFgJ.exe
                                  Imagebase:0xf10000
                                  File size:430592 bytes
                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Reputation:high

                                  General

                                  Target ID:6
                                  Start time:21:07:37
                                  Start date:05/08/2022
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6406f0000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:7
                                  Start time:21:07:37
                                  Start date:05/08/2022
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RhFYnHFgJ" /XML "C:\Users\user\AppData\Local\Temp\tmp95A0.tmp
                                  Imagebase:0x290000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:8
                                  Start time:21:07:39
                                  Start date:05/08/2022
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6406f0000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:9
                                  Start time:21:07:42
                                  Start date:05/08/2022
                                  Path:C:\Users\user\Desktop\llcubnch6T.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\Desktop\llcubnch6T.exe
                                  Imagebase:0xce0000
                                  File size:621056 bytes
                                  MD5 hash:44E407B3DE4A9865AB747BDCA810B0B9
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000009.00000002.630822289.0000000003051000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000009.00000000.410857927.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000009.00000000.410857927.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000009.00000002.635757563.00000000055A6000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                  Reputation:low

                                  Disassembly

                                  No disassembly