Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RogueChecker.exe

Overview

General Information

Sample Name:RogueChecker.exe
Analysis ID:800680
MD5:7b0c95a1d60d8148497730601d29399a
SHA1:502ed0d549aacb8ff7442e47a3afa8bee3e9117d
SHA256:96a19d810a0c76c97a06fe2d3860b6bf6d0cb6aaecf81a913cc69c583be5a85c
Infos:

Detection

Score:3
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Detected potential crypto function
Potential time zone aware malware
Program does not show much activity (idle)

Classification

Process Tree

  • System is w10x64
  • RogueChecker.exe (PID: 5988 cmdline: C:\Users\user\Desktop\RogueChecker.exe MD5: 7B0C95A1D60D8148497730601D29399A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: RogueChecker.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\RogueChecker.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dllJump to behavior
Source: RogueChecker.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH
Source: Binary string: E:\fblnet\fblnet\net\dhcp\server\tools\RogueChecker\RogueChecker\obj\Release\RogueChecker.pdbHm source: RogueChecker.exe
Source: Binary string: E:\fblnet\fblnet\net\dhcp\server\tools\RogueChecker\RogueChecker\obj\Release\RogueChecker.pdb source: RogueChecker.exe
Source: RogueChecker.exe, 00000000.00000003.313867561.000000001BE51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.w
Source: RogueChecker.exe, 00000000.00000003.310937935.000000001BE42000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.w0
Source: RogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
Source: RogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: RogueChecker.exe, 00000000.00000003.314562722.000000001BE54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
Source: RogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: RogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmp, RogueChecker.exe, 00000000.00000002.572385337.000000001BE40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
Source: RogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmp, RogueChecker.exe, 00000000.00000002.572385337.000000001BE40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
Source: RogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
Source: RogueChecker.exe, 00000000.00000003.317842792.000000001BE79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: RogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: RogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmp, RogueChecker.exe, 00000000.00000003.317322877.000000001BE79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: RogueChecker.exe, 00000000.00000003.317378745.000000001BE79000.00000004.00000020.00020000.00000000.sdmp, RogueChecker.exe, 00000000.00000003.317322877.000000001BE79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlra
Source: RogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
Source: RogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
Source: RogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
Source: RogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
Source: RogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: RogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: RogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: RogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: RogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: RogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: RogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: RogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: RogueChecker.exe, 00000000.00000003.311423599.000000001BE52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comF
Source: RogueChecker.exe, 00000000.00000003.311423599.000000001BE52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comW
Source: RogueChecker.exe, 00000000.00000003.311423599.000000001BE52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comX
Source: RogueChecker.exe, 00000000.00000003.311423599.000000001BE52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comc
Source: RogueChecker.exe, 00000000.00000003.311423599.000000001BE52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comd
Source: RogueChecker.exe, 00000000.00000003.311423599.000000001BE52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comi
Source: RogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
Source: RogueChecker.exe, 00000000.00000003.314562722.000000001BE54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.comS
Source: RogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: RogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
Source: RogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
Source: RogueChecker.exe, 00000000.00000003.318369985.000000001BE7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
Source: RogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
Source: RogueChecker.exe, 00000000.00000003.316192055.000000001BE5B000.00000004.00000020.00020000.00000000.sdmp, RogueChecker.exe, 00000000.00000003.316379528.000000001BE5B000.00000004.00000020.00020000.00000000.sdmp, RogueChecker.exe, 00000000.00000003.316428904.000000001BE5B000.00000004.00000020.00020000.00000000.sdmp, RogueChecker.exe, 00000000.00000003.316114398.000000001BE5B000.00000004.00000020.00020000.00000000.sdmp, RogueChecker.exe, 00000000.00000003.316264076.000000001BE5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.dee.ht
Source: RogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: RogueChecker.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: RogueChecker.exe, 00000000.00000002.570521099.0000000000F09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs RogueChecker.exe
Source: C:\Users\user\Desktop\RogueChecker.exeCode function: 0_2_00007FF9A5DE0BCA0_2_00007FF9A5DE0BCA
Source: C:\Users\user\Desktop\RogueChecker.exeCode function: 0_2_00007FF9A5DE1F760_2_00007FF9A5DE1F76
Source: RogueChecker.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\RogueChecker.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: RogueChecker.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\RogueChecker.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\077cf2bd55145d691314f0889d7a1997\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{228D9A82-C302-11cf-9AA4-00AA004A5691}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\RogueChecker.exeFile created: C:\Users\user\Desktop\WellKnownServers.xmlJump to behavior
Source: classification engineClassification label: clean3.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\RogueChecker.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dllJump to behavior
Source: RogueChecker.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\RogueChecker.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_88df21dd2faf7c49\MSVCR80.dllJump to behavior
Source: RogueChecker.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH
Source: RogueChecker.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: E:\fblnet\fblnet\net\dhcp\server\tools\RogueChecker\RogueChecker\obj\Release\RogueChecker.pdbHm source: RogueChecker.exe
Source: Binary string: E:\fblnet\fblnet\net\dhcp\server\tools\RogueChecker\RogueChecker\obj\Release\RogueChecker.pdb source: RogueChecker.exe
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeSystem information queried: CurrentTimeZoneInformationJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: RogueChecker.exe, 00000000.00000002.572057949.000000001BC23000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\RogueChecker.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\RogueChecker.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath Interception1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		Exfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Disable or Modify Tools		LSASS Memory1
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager13
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
RogueChecker.exe0%ReversingLabs
RogueChecker.exe0%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.tiro.com0%URL Reputationsafe
http://www.tiro.com0%URL Reputationsafe
http://www.goodfont.co.kr0%URL Reputationsafe
http://en.w0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://www.urwpp.dee.ht0%Avira URL Cloudsafe
http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
http://fontfabrik.com0%URL Reputationsafe
http://www.founder.com.cn/cn0%URL Reputationsafe
http://www.sajatypeworks.comX0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
http://www.sakkal.comS0%Avira URL Cloudsafe
http://www.sajatypeworks.comF0%Avira URL Cloudsafe
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.sajatypeworks.comd0%URL Reputationsafe
http://www.urwpp.deDPlease0%URL Reputationsafe
http://www.sajatypeworks.comW0%Avira URL Cloudsafe
http://www.urwpp.de0%URL Reputationsafe
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.sakkal.com0%URL Reputationsafe
http://en.w00%Avira URL Cloudsafe
http://www.sajatypeworks.comc0%Avira URL Cloudsafe
http://www.sajatypeworks.comi0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.apache.org/licenses/LICENSE-2.0RogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpfalse
    		high
    http://www.fontbureau.comRogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmp, RogueChecker.exe, 00000000.00000002.572385337.000000001BE40000.00000004.00000020.00020000.00000000.sdmpfalse
      		high
      http://www.fontbureau.com/designersGRogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://www.fontbureau.com/designers/?RogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.founder.com.cn/cn/bTheRogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.sakkal.comSRogueChecker.exe, 00000000.00000003.314562722.000000001BE54000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.fontbureau.com/designers?RogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.urwpp.dee.htRogueChecker.exe, 00000000.00000003.316192055.000000001BE5B000.00000004.00000020.00020000.00000000.sdmp, RogueChecker.exe, 00000000.00000003.316379528.000000001BE5B000.00000004.00000020.00020000.00000000.sdmp, RogueChecker.exe, 00000000.00000003.316428904.000000001BE5B000.00000004.00000020.00020000.00000000.sdmp, RogueChecker.exe, 00000000.00000003.316114398.000000001BE5B000.00000004.00000020.00020000.00000000.sdmp, RogueChecker.exe, 00000000.00000003.316264076.000000001BE5B000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.tiro.comRogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            http://www.fontbureau.com/designersRogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmp, RogueChecker.exe, 00000000.00000002.572385337.000000001BE40000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://www.goodfont.co.krRogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.sajatypeworks.comFRogueChecker.exe, 00000000.00000003.311423599.000000001BE52000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.fontbureau.com/designers/frere-jones.htmlraRogueChecker.exe, 00000000.00000003.317378745.000000001BE79000.00000004.00000020.00020000.00000000.sdmp, RogueChecker.exe, 00000000.00000003.317322877.000000001BE79000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                http://en.wRogueChecker.exe, 00000000.00000003.313867561.000000001BE51000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.carterandcone.comlRogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.sajatypeworks.comRogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.typography.netDRogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers/cabarga.htmlNRogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.founder.com.cn/cn/cTheRogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.galapagosdesign.com/staff/dennis.htmRogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://fontfabrik.comRogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.founder.com.cn/cnRogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers/frere-jones.htmlRogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmp, RogueChecker.exe, 00000000.00000003.317322877.000000001BE79000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.com/designers/cabarga.htmlRogueChecker.exe, 00000000.00000003.317842792.000000001BE79000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://www.sajatypeworks.comXRogueChecker.exe, 00000000.00000003.311423599.000000001BE52000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sajatypeworks.comWRogueChecker.exe, 00000000.00000003.311423599.000000001BE52000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/RogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://en.w0RogueChecker.exe, 00000000.00000003.310937935.000000001BE42000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.galapagosdesign.com/DPleaseRogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers8RogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.ascendercorp.com/typedesigners.htmlRogueChecker.exe, 00000000.00000003.314562722.000000001BE54000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fonts.comRogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.sandoll.co.krRogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sajatypeworks.comdRogueChecker.exe, 00000000.00000003.311423599.000000001BE52000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.urwpp.deDPleaseRogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sajatypeworks.comcRogueChecker.exe, 00000000.00000003.311423599.000000001BE52000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.urwpp.deRogueChecker.exe, 00000000.00000003.318369985.000000001BE7B000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.zhongyicts.com.cnRogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sakkal.comRogueChecker.exe, 00000000.00000002.572603013.000000001D052000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sajatypeworks.comiRogueChecker.exe, 00000000.00000003.311423599.000000001BE52000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          No contacted IP infos

                          General Information

                          Joe Sandbox Version:36.0.0 Rainbow Opal
                          Analysis ID:800680
                          Start date and time:2023-02-07 18:03:43 +01:00
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 6m 59s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:7
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample file name:RogueChecker.exe
                          Detection:CLEAN
                          Classification:clean3.winEXE@1/0@0/0
                          EGA Information:Failed
                          HDC Information:Failed
                          HCA Information:
                          • Successful, ratio: 98%
                          • Number of executed functions: 21
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, HxTsr.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe
                          • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, login.live.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com
                          • Execution Graph export aborted for target RogueChecker.exe, PID 5988 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          No simulations

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASNs

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          No created / dropped files found

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):5.944234855292515
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                          • Win32 Executable (generic) a (10002005/4) 49.75%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Windows Screen Saver (13104/52) 0.07%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          File name:RogueChecker.exe
                          File size:88064
                          MD5:7b0c95a1d60d8148497730601d29399a
                          SHA1:502ed0d549aacb8ff7442e47a3afa8bee3e9117d
                          SHA256:96a19d810a0c76c97a06fe2d3860b6bf6d0cb6aaecf81a913cc69c583be5a85c
                          SHA512:501826fa2ce317032ccff911111becf76ab92e1007aa24ce352aefc08d4e34bdcc5e98bd9fb724966085b593828d14a7b2908ffa9cd60844f2b0513561ccff93
                          SSDEEP:1536:uYhFCiRUSCdNPBRpSzQDpeMaQQQduXLL+76HDXr5z6S5j2:ucFCiRUSCd5B6zQtwQQQduXH+76HTr5w
                          TLSH:4483F8143288571BC2A712F8EB12B0442737F91959E1D5D83DEBD2BE25FBB88D312663
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&}MJ.................N..........nm... ........@.. ....................................@................................

                          File Icon

                          Icon Hash:00828e8e8686b000

                          Static PE Info

                          General

                          Entrypoint:0x416d6e
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH
                          Time Stamp:0x4A4D7D26 [Fri Jul 3 03:38:14 2009 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x16d200x4b.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x180000x5a8.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a0000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x16c8c0x1c.text
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000x14d740x14e00False0.36578405688622756data5.993089999094043IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rsrc0x180000x5a80x600False0.41015625data4.07178673962085IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0x1a0000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountry
                          RT_VERSION0x180a00x318data
                          RT_MANIFEST0x183b80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Network Behavior

                          Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          System Behavior

                          General

                          Target ID:0
                          Start time:18:04:40
                          Start date:07/02/2023
                          Path:C:\Users\user\Desktop\RogueChecker.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Users\user\Desktop\RogueChecker.exe
                          Imagebase:0xa20000
                          File size:88064 bytes
                          MD5 hash:7B0C95A1D60D8148497730601D29399A
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Reputation:low

                          Disassembly

                          Reset < >

                            Executed Functions

                            Function 00007FF9A5DE1F76 Relevance: 2.4, Instructions: 2441COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.573902999.00007FF9A5DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5DE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff9a5de0000_RogueChecker.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 08edd635a095e8fc46ad6db716689587ff01f5a4e2c902dc3ade91ac787d439e
                            • Instruction ID: 6d1eaf3cccbeaa689b40220017691adf82ac5508938b7afcb807f0fa2cf6b062
                            • Opcode Fuzzy Hash: 08edd635a095e8fc46ad6db716689587ff01f5a4e2c902dc3ade91ac787d439e
                            • Instruction Fuzzy Hash: 5B135D7061CB884FE7A5EB38D494BAA7BE1FF9A300F5044ADD08EC7297DE74A8458741
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FF9A5DE0BCA Relevance: 1.6, Instructions: 1563COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.573902999.00007FF9A5DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5DE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff9a5de0000_RogueChecker.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 00ff7014e90e92f66d2591d17d17ed97553381ff9cde4e59ed8eb87808778a87
                            • Instruction ID: 0109124d95185eabe269deec5e18dc91b0b9386f4655456ba062594396c0310a
                            • Opcode Fuzzy Hash: 00ff7014e90e92f66d2591d17d17ed97553381ff9cde4e59ed8eb87808778a87
                            • Instruction Fuzzy Hash: 9AD2407061CB894FE7A5EB38C494BAA7BD1FF9A304F5044BDD08EC7296DE74A8418B41
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FF9A5DE421A Relevance: .3, Instructions: 327COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.573902999.00007FF9A5DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5DE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff9a5de0000_RogueChecker.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a6d54bafaa40ad16f39c19f0ecffc00d635c3717550e318434a724ca0d822547
                            • Instruction ID: 2351da3931cfcd7d96c289be246d8e20a91bbf3d0d62c9b76473ff06f28b2e96
                            • Opcode Fuzzy Hash: a6d54bafaa40ad16f39c19f0ecffc00d635c3717550e318434a724ca0d822547
                            • Instruction Fuzzy Hash: 57A1D430A0DA895FEB55EF2898497A93FE1FF16305F4540BDE88EC7193DE64AC058782
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FF9A5DE3FC9 Relevance: .2, Instructions: 228COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.573902999.00007FF9A5DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5DE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff9a5de0000_RogueChecker.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ff9d37fe80a23df8d6bde7ed3be95e3a88c6c18d942bc6a8849626f7384d4db0
                            • Instruction ID: 0ec9f628a50eac7c72cd368f38a62338b6ada335a7536ee66da32da991e8b303
                            • Opcode Fuzzy Hash: ff9d37fe80a23df8d6bde7ed3be95e3a88c6c18d942bc6a8849626f7384d4db0
                            • Instruction Fuzzy Hash: E871AB21B0DB891FE782AB3898957647FD2EF8B300F5544FAD04DC729BCE68AC098350
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FF9A5DE08A4 Relevance: .2, Instructions: 214COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.573902999.00007FF9A5DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5DE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff9a5de0000_RogueChecker.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 051a4fbc4b71813884979aa457ff1430c915faa9385929cfd8b665a75f8d3194
                            • Instruction ID: 0bc260b95f5abfa9fcab848dfef020ddfc1df7add16cd4a5e84f6858524e0d89
                            • Opcode Fuzzy Hash: 051a4fbc4b71813884979aa457ff1430c915faa9385929cfd8b665a75f8d3194
                            • Instruction Fuzzy Hash: F8517402F2DE5A0FFBC8BB78289A27D05D2AF9EA48B45847DD44ED32CBDC5C28054216
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FF9A5DE4B62 Relevance: .2, Instructions: 209COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.573902999.00007FF9A5DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5DE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff9a5de0000_RogueChecker.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c8928d713066435c3751cbfc609e4906356a6927ea7918c3f29898406893e264
                            • Instruction ID: 9eae5b4cea7a67b7bd2999ad04bc102ee43a61e91a932241c997633203c9870f
                            • Opcode Fuzzy Hash: c8928d713066435c3751cbfc609e4906356a6927ea7918c3f29898406893e264
                            • Instruction Fuzzy Hash: 5351262060DB854FD746DB788499AB57FE1EF5B701F0940FEE0C9CB1A3DE24A8098792
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FF9A5DE44C5 Relevance: .2, Instructions: 202COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.573902999.00007FF9A5DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5DE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff9a5de0000_RogueChecker.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f9c13f703c0465a276df9fdcf1e13774653d39fe38cc58e0b1e1f345b1ed4236
                            • Instruction ID: 313e72812c2904ed8954e3de4607084248edcc047d7ec545ad8edec63b340bf7
                            • Opcode Fuzzy Hash: f9c13f703c0465a276df9fdcf1e13774653d39fe38cc58e0b1e1f345b1ed4236
                            • Instruction Fuzzy Hash: BC51C610A1CB891FE786EB3894597A93FE1EF4B300F4541FAE44DCB2D3DE6858458752
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FF9A5DE0793 Relevance: .1, Instructions: 106COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.573902999.00007FF9A5DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5DE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff9a5de0000_RogueChecker.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 845f6f5463740cfa6897d37c7019afa8eced5883d7cedae9933a5fde90b66c24
                            • Instruction ID: bd596756ed30f76ebff4134868b142e186fd7323889aa05356b24095ad443cf3
                            • Opcode Fuzzy Hash: 845f6f5463740cfa6897d37c7019afa8eced5883d7cedae9933a5fde90b66c24
                            • Instruction Fuzzy Hash: C8317202F2DD9A0FFB89FB7824D927D49D1EF8AA44B8584BDD44EC32CBDC5C28054256
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FF9A5DE4D59 Relevance: .1, Instructions: 92COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.573902999.00007FF9A5DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5DE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff9a5de0000_RogueChecker.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a15722f22e9ecac157548e359a2505433e624cf154c725e39080185ccd83ddd1
                            • Instruction ID: 1877041dfb0f9f319f18647b71f63c45363b4e8fa18bfb4c3053506de5fd9653
                            • Opcode Fuzzy Hash: a15722f22e9ecac157548e359a2505433e624cf154c725e39080185ccd83ddd1
                            • Instruction Fuzzy Hash: B7217B20B0D58A4FDB56E7384494BB9BFD0EF07700F1640BAC48EC7062DE5CB81A8341
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FF9A5DE009C Relevance: .1, Instructions: 86COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.573902999.00007FF9A5DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5DE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff9a5de0000_RogueChecker.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 615bbe19a0714f153bae0593252c2d5366efa156406ca0ef05eae719e85ac1d1
                            • Instruction ID: 2f6ef77b9a2c0db42ee44cf62ea7bcbc4bfbd066ab3107b04f08e949d0716598
                            • Opcode Fuzzy Hash: 615bbe19a0714f153bae0593252c2d5366efa156406ca0ef05eae719e85ac1d1
                            • Instruction Fuzzy Hash: 7F012D93D4EBC20FE7939E741C262A12FA55F2394874A40B7C8DDCE093F84D2C498611
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FF9A5DE01BD Relevance: .1, Instructions: 79COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.573902999.00007FF9A5DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5DE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff9a5de0000_RogueChecker.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ce79f9ed6a752548491ffc1d78ca06ed80f1fd127a98161c6ac8488b961f2521
                            • Instruction ID: e4ef15ce9b5095ef5783ac7860fe93e8208d4d284e4d962ae1e3a87a86d4b030
                            • Opcode Fuzzy Hash: ce79f9ed6a752548491ffc1d78ca06ed80f1fd127a98161c6ac8488b961f2521
                            • Instruction Fuzzy Hash: 7D11F313E2EA9A1FF795EB2818967A91ED6BF4AB48F414478E58CC71CBDC583C058312
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FF9A5DE4DA9 Relevance: .1, Instructions: 69COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.573902999.00007FF9A5DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5DE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff9a5de0000_RogueChecker.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f51e08e489b9119c8b4e4439aa19859e737daadbab26df2f84cff7931a18a6bd
                            • Instruction ID: a0e6832651f6fd47e93cd0ec1468d7658fbc58afd4e2bb217fc60707511f0890
                            • Opcode Fuzzy Hash: f51e08e489b9119c8b4e4439aa19859e737daadbab26df2f84cff7931a18a6bd
                            • Instruction Fuzzy Hash: 4C018921B0D7890FDB56D7185885BBA7FE0FF86705F0640B7E89EC7192DEA46C294382
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FF9A5DE4B08 Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.573902999.00007FF9A5DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5DE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff9a5de0000_RogueChecker.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: aa568971398e67da5d7479a3ce6360d88a1ffd1df7c42e6603dbe013bb4ad336
                            • Instruction ID: 0a48bf616bae8ccdb04e01ddd76e217d93f2c8b021a4f8aab722b7af827afbf4
                            • Opcode Fuzzy Hash: aa568971398e67da5d7479a3ce6360d88a1ffd1df7c42e6603dbe013bb4ad336
                            • Instruction Fuzzy Hash: 5CF0967130C60C5F9B48FE1CDC46AF637E8E796271B00112FF54AC3103E562A8174790
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FF9A5DE4E80 Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.573902999.00007FF9A5DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5DE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff9a5de0000_RogueChecker.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 38eb5555445950abd53375991a5de50d9e916582d2c91cca88937646d608a19c
                            • Instruction ID: 9b10a35ec834fff44839fe99a1a401122aff34d826ed0de524e54e57f64c9898
                            • Opcode Fuzzy Hash: 38eb5555445950abd53375991a5de50d9e916582d2c91cca88937646d608a19c
                            • Instruction Fuzzy Hash: 7C01B1207085064FEB99DB28A498FB977D1FF8A702F5540B6E45EC7682CE79A8158301
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FF9A5DE4E50 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.573902999.00007FF9A5DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5DE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff9a5de0000_RogueChecker.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fc79cb16bd10891798dc460fcfa49e43b8c7603e495ec793fc157aa322bdee5d
                            • Instruction ID: a969a03396860135860a69efda8cb2c7dee9d2c57485783fa100d21bd5c4ca2a
                            • Opcode Fuzzy Hash: fc79cb16bd10891798dc460fcfa49e43b8c7603e495ec793fc157aa322bdee5d
                            • Instruction Fuzzy Hash: E801F4317095464FDB89DB189094B7C7BD1FF46706B1600B6E89ECB592CF38A8154301
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FF9A5DE0695 Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.573902999.00007FF9A5DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5DE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff9a5de0000_RogueChecker.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9dc7477c91c963949388809405378d8148dbfecca4c05146e053cc5ad720dd5b
                            • Instruction ID: ccb2c20696e64398b9266624fcd0fe0dda4745f405a2223d6113724a6b597d23
                            • Opcode Fuzzy Hash: 9dc7477c91c963949388809405378d8148dbfecca4c05146e053cc5ad720dd5b
                            • Instruction Fuzzy Hash: 0AE0C202B1DE4B0FF798FB6C149A32D06D2EFEA91874081BEC44DC22CBEC4818024340
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FF9A5DE0B9B Relevance: .0, Instructions: 21COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.573902999.00007FF9A5DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5DE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff9a5de0000_RogueChecker.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 015d8b3208f13227556d88feb14967152e1c2938ab9b1e71948774d55330a57f
                            • Instruction ID: 17058f8691456da101eabd71c3d4708d85c61082ae62276f29239e968aecb4a5
                            • Opcode Fuzzy Hash: 015d8b3208f13227556d88feb14967152e1c2938ab9b1e71948774d55330a57f
                            • Instruction Fuzzy Hash: 6CD02B42F2DE4A0BE2D8E66C249933909C1EFCDA8E70180BC805DC31CBEC8828068240
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FF9A5DE06F9 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.573902999.00007FF9A5DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5DE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff9a5de0000_RogueChecker.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a497bdc2fe6b934c3232092f00927167511b93153e776175259b5ddc6cea2fae
                            • Instruction ID: 405c2dc872168e64f22472011f2efd9d5c780e5c32e02def00aaa3f647f04606
                            • Opcode Fuzzy Hash: a497bdc2fe6b934c3232092f00927167511b93153e776175259b5ddc6cea2fae
                            • Instruction Fuzzy Hash: 1CD05B43F1EE950BE3D8E73C245E63909C19F9AA44B1585BED44DC31CFDC4C58094355
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FF9A5DE0765 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.573902999.00007FF9A5DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5DE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff9a5de0000_RogueChecker.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8785a290dd16dc5639a40d43aa87a08557b3bc582905d9c8fcd7a7a30d5bad2d
                            • Instruction ID: 6c452c50a757cd1ebd733fb0da82efea519a193898f7694f4bf7841fbd4e1854
                            • Opcode Fuzzy Hash: 8785a290dd16dc5639a40d43aa87a08557b3bc582905d9c8fcd7a7a30d5bad2d
                            • Instruction Fuzzy Hash: F2D0C242F1EE892BF2C4E77C145A22908C19FCA9087048479948DC318BDC9818098241
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FF9A5DE0193 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.573902999.00007FF9A5DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5DE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff9a5de0000_RogueChecker.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6c3e75981ef6f90724978e3fb359f02791f8d2094257b2aff80d1bdd3a10f7f8
                            • Instruction ID: b8c74b62d8f76dbf6387a79b447428149fa12165b2633e86c0ecf0ca587d7da4
                            • Opcode Fuzzy Hash: 6c3e75981ef6f90724978e3fb359f02791f8d2094257b2aff80d1bdd3a10f7f8
                            • Instruction Fuzzy Hash: 5FD0A701B09A480FD74597781C901242A928F8F010B4694FBD40EC62D7CC190C450301
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 00007FF9A5DE0146 Relevance: .0, Instructions: 9COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.573902999.00007FF9A5DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5DE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ff9a5de0000_RogueChecker.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e2d416d25e4663f8cc358e170d23c01825bcce399d936c1e533cd27ec0735f9f
                            • Instruction ID: ae9fc2bcd0def69cd8307728f0419b7600c34fb40698f4b5601ca382af88061e
                            • Opcode Fuzzy Hash: e2d416d25e4663f8cc358e170d23c01825bcce399d936c1e533cd27ec0735f9f
                            • Instruction Fuzzy Hash: 5CB01241A4550A13E94472B824C25B825C18B46515B5124B5F05DC02C7CCCE7C840540
                            Uniqueness

                            Uniqueness Score: -1.00%