Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Cpvgbsz3gu.exe

Overview

General Information

Sample Name:Cpvgbsz3gu.exe
Original Sample Name:003050a0d5ade7c44587794f418f1fe17ec66bbeb77f26fe3477846af60f6252.exe
Analysis ID:840956
MD5:b297ff6e4ddf93de83ba48ca4a47222a
SHA1:304031df1a2b25161731f5463f31420001786588
SHA256:003050a0d5ade7c44587794f418f1fe17ec66bbeb77f26fe3477846af60f6252
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Cpvgbsz3gu.exe (PID: 6992 cmdline: C:\Users\user\Desktop\Cpvgbsz3gu.exe MD5: B297FF6E4DDF93DE83BA48CA4A47222A)
    • Cpvgbsz3gu.exe (PID: 3216 cmdline: {path} MD5: B297FF6E4DDF93DE83BA48CA4A47222A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host's clipboard and beacons this information back to the C2.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.panservis.rs", "Username": "office@panservis.rs", "Password": "M8KQPEmv2a+"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.578029102.00000000033AC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000002.578029102.00000000033AC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000001.00000002.576354013.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000000.00000002.343712436.00000000037DC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          Process Memory Space: Cpvgbsz3gu.exe PID: 6992JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Cpvgbsz3gu.exe.3994878.2.unpackMSIL_SUSP_OBFUSC_XorStringsNetDetects XorStringsNET string encryption, and other obfuscators derived from itdr4k0nia
            • 0x17c6a:$pattern: 06 1E 58 07 8E 69 FE 17
            • 0x269d2:$a2: _CorExeMain
            • 0x227fe:$a3: mscorlib
            • 0x23bdd:$a4: .cctor
            • 0x22559:$a6: <Module>
            0.2.Cpvgbsz3gu.exe.3994878.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              1.2.Cpvgbsz3gu.exe.400000.0.unpackMSIL_SUSP_OBFUSC_XorStringsNetDetects XorStringsNET string encryption, and other obfuscators derived from itdr4k0nia
              • 0x19a6a:$pattern: 06 1E 58 07 8E 69 FE 17
              • 0x287d2:$a2: _CorExeMain
              • 0x245fe:$a3: mscorlib
              • 0x259dd:$a4: .cctor
              • 0x24359:$a6: <Module>
              1.2.Cpvgbsz3gu.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.Cpvgbsz3gu.exe.3994878.2.raw.unpackMSIL_SUSP_OBFUSC_XorStringsNetDetects XorStringsNET string encryption, and other obfuscators derived from itdr4k0nia
                • 0x19a6a:$pattern: 06 1E 58 07 8E 69 FE 17
                • 0x4288a:$pattern: 06 1E 58 07 8E 69 FE 17
                • 0x287d2:$a2: _CorExeMain
                • 0x515f2:$a2: _CorExeMain
                • 0x245fe:$a3: mscorlib
                • 0x4d41e:$a3: mscorlib
                • 0x259dd:$a4: .cctor
                • 0x4e7fd:$a4: .cctor
                • 0x24359:$a6: <Module>
                • 0x4d179:$a6: <Module>
                Click to see the 3 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: Cpvgbsz3gu.exeReversingLabs: Detection: 48%
                Machine Learning detection for sample
                Source: Cpvgbsz3gu.exeJoe Sandbox ML: detected
                Source: 1.2.Cpvgbsz3gu.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                Source: 0.2.Cpvgbsz3gu.exe.3994878.2.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.panservis.rs", "Username": "office@panservis.rs", "Password": "M8KQPEmv2a+"}
                Source: Cpvgbsz3gu.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.4:49691 version: TLS 1.2
                Source: Cpvgbsz3gu.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: YIa8Lnj.pdb source: Cpvgbsz3gu.exe
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_04743348
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_04744020
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_04743337

                Networking

                barindex
                May check the online IP address of the machine
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeDNS query: name: api.ipify.org
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeDNS query: name: api.ipify.org
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: Joe Sandbox ViewIP Address: 185.118.171.10 185.118.171.10
                Source: Joe Sandbox ViewIP Address: 64.185.227.155 64.185.227.155
                Source: Joe Sandbox ViewIP Address: 64.185.227.155 64.185.227.155
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                Source: global trafficTCP traffic: 192.168.2.4:49699 -> 185.118.171.10:587
                Source: global trafficTCP traffic: 192.168.2.4:49699 -> 185.118.171.10:587
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
                Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
                Source: Cpvgbsz3gu.exe, 00000001.00000002.578029102.00000000033AC000.00000004.00000800.00020000.00000000.sdmp, Cpvgbsz3gu.exe, 00000001.00000002.583971068.0000000006C67000.00000004.00000020.00020000.00000000.sdmp, Cpvgbsz3gu.exe, 00000001.00000002.577221243.0000000001950000.00000004.00000020.00020000.00000000.sdmp, Cpvgbsz3gu.exe, 00000001.00000002.583971068.0000000006C4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                Source: Cpvgbsz3gu.exe, 00000001.00000002.577221243.00000000018B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: Cpvgbsz3gu.exe, 00000001.00000002.577221243.000000000188A000.00000004.00000020.00020000.00000000.sdmp, Cpvgbsz3gu.exe, 00000001.00000002.577221243.0000000001963000.00000004.00000020.00020000.00000000.sdmp, Cpvgbsz3gu.exe, 00000001.00000002.578029102.00000000033AC000.00000004.00000800.00020000.00000000.sdmp, Cpvgbsz3gu.exe, 00000001.00000002.583971068.0000000006C67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: Cpvgbsz3gu.exe, 00000001.00000002.583971068.0000000006C47000.00000004.00000020.00020000.00000000.sdmp, Cpvgbsz3gu.exe, 00000001.00000002.578029102.00000000033AC000.00000004.00000800.00020000.00000000.sdmp, Cpvgbsz3gu.exe, 00000001.00000002.583971068.0000000006C67000.00000004.00000020.00020000.00000000.sdmp, Cpvgbsz3gu.exe, 00000001.00000002.583971068.0000000006C3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                Source: Cpvgbsz3gu.exe, 00000001.00000002.577221243.00000000018B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: Cpvgbsz3gu.exe, 00000001.00000002.583971068.0000000006C67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.comlR
                Source: Cpvgbsz3gu.exe, 00000000.00000002.355326343.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                Source: Cpvgbsz3gu.exe, 00000001.00000002.578029102.00000000033AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.panservis.rs
                Source: Cpvgbsz3gu.exe, 00000001.00000002.583971068.0000000006C47000.00000004.00000020.00020000.00000000.sdmp, Cpvgbsz3gu.exe, 00000001.00000002.577221243.000000000188A000.00000004.00000020.00020000.00000000.sdmp, Cpvgbsz3gu.exe, 00000001.00000002.577221243.0000000001963000.00000004.00000020.00020000.00000000.sdmp, Cpvgbsz3gu.exe, 00000001.00000002.578029102.00000000033AC000.00000004.00000800.00020000.00000000.sdmp, Cpvgbsz3gu.exe, 00000001.00000002.583971068.0000000006C67000.00000004.00000020.00020000.00000000.sdmp, Cpvgbsz3gu.exe, 00000001.00000002.577221243.0000000001950000.00000004.00000020.00020000.00000000.sdmp, Cpvgbsz3gu.exe, 00000001.00000002.583971068.0000000006C3F000.00000004.00000020.00020000.00000000.sdmp, Cpvgbsz3gu.exe, 00000001.00000002.583971068.0000000006C4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: Cpvgbsz3gu.exeString found in binary or memory: http://outage.report/
                Source: Cpvgbsz3gu.exe, 00000001.00000002.578029102.00000000033AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://panservis.rs
                Source: Cpvgbsz3gu.exe, 00000000.00000002.331388257.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, Cpvgbsz3gu.exe, 00000001.00000002.578029102.0000000003361000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: Cpvgbsz3gu.exe, 00000000.00000002.355326343.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: Cpvgbsz3gu.exe, 00000000.00000002.355326343.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: Cpvgbsz3gu.exe, 00000000.00000002.355326343.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: Cpvgbsz3gu.exe, 00000000.00000002.355326343.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: Cpvgbsz3gu.exe, 00000000.00000002.355326343.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: Cpvgbsz3gu.exe, 00000000.00000002.355326343.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: Cpvgbsz3gu.exe, 00000000.00000002.355326343.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: Cpvgbsz3gu.exe, 00000000.00000002.355326343.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: Cpvgbsz3gu.exe, 00000000.00000002.355326343.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: Cpvgbsz3gu.exe, 00000000.00000002.355326343.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: Cpvgbsz3gu.exe, 00000000.00000002.355326343.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: Cpvgbsz3gu.exe, 00000000.00000002.355326343.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: Cpvgbsz3gu.exe, 00000000.00000002.355326343.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: Cpvgbsz3gu.exe, 00000000.00000002.355326343.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: Cpvgbsz3gu.exe, 00000000.00000002.355326343.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: Cpvgbsz3gu.exe, 00000000.00000002.355326343.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: Cpvgbsz3gu.exe, 00000000.00000002.355326343.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: Cpvgbsz3gu.exe, 00000000.00000002.355326343.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: Cpvgbsz3gu.exe, 00000000.00000002.355326343.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: Cpvgbsz3gu.exe, 00000000.00000002.355326343.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: Cpvgbsz3gu.exe, 00000000.00000002.355326343.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: Cpvgbsz3gu.exe, 00000000.00000002.355326343.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: Cpvgbsz3gu.exe, 00000000.00000002.355326343.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: Cpvgbsz3gu.exe, 00000000.00000002.355326343.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: Cpvgbsz3gu.exe, 00000000.00000002.355326343.0000000006992000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: Cpvgbsz3gu.exe, 00000001.00000002.578029102.0000000003361000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                Source: Cpvgbsz3gu.exe, 00000001.00000002.578029102.0000000003361000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                Source: Cpvgbsz3gu.exeString found in binary or memory: https://fast.comIhttps://www.speakeasy.net/speedtest/
                Source: Cpvgbsz3gu.exe, 00000001.00000002.583971068.0000000006C47000.00000004.00000020.00020000.00000000.sdmp, Cpvgbsz3gu.exe, 00000001.00000002.578029102.00000000033AC000.00000004.00000800.00020000.00000000.sdmp, Cpvgbsz3gu.exe, 00000001.00000002.583971068.0000000006C67000.00000004.00000020.00020000.00000000.sdmp, Cpvgbsz3gu.exe, 00000001.00000002.583971068.0000000006C3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                Source: Cpvgbsz3gu.exeString found in binary or memory: https://speedtest.net
                Source: Cpvgbsz3gu.exeString found in binary or memory: https://steamstat.us/_https://support.xbox.com/en-US/xbox-live-statusGhttp://downforeveryoneorjustme
                Source: Cpvgbsz3gu.exeString found in binary or memory: https://support.rockstargames.com/hc/en-us/articles/200426246-GTA-Online-Server-Status-Latest-Update
                Source: Cpvgbsz3gu.exeString found in binary or memory: https://testmy.net/Ehttps://www.verizon.com/speedtest/;http://speedtest.xfinity.com/7https://www.ipl
                Source: Cpvgbsz3gu.exeString found in binary or memory: https://www.akamai.com/uk/en/solutions/intelligent-platform/visualizing-akamai/real-time-web-monitor
                Source: Cpvgbsz3gu.exeString found in binary or memory: https://www.de-cix.net/en/locations/united-states/new-york/statistics)https://www.draw.io/7http://ma
                Source: Cpvgbsz3gu.exeString found in binary or memory: https://www.nintendo.com/consumer/network/en_na/network_status.jspKhttps://status.playstation.com/en
                Source: unknownDNS traffic detected: queries for: api.ipify.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.4:49691 version: TLS 1.2
                Source: Cpvgbsz3gu.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: 0.2.Cpvgbsz3gu.exe.3994878.2.unpack, type: UNPACKEDPEMatched rule: MSIL_SUSP_OBFUSC_XorStringsNet author = dr4k0nia, description = Detects XorStringsNET string encryption, and other obfuscators derived from it, score = 26/03/2023, version = 1.0, reference = https://github.com/dr4k0nia/yara-rules
                Source: 1.2.Cpvgbsz3gu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MSIL_SUSP_OBFUSC_XorStringsNet author = dr4k0nia, description = Detects XorStringsNET string encryption, and other obfuscators derived from it, score = 26/03/2023, version = 1.0, reference = https://github.com/dr4k0nia/yara-rules
                Source: 0.2.Cpvgbsz3gu.exe.3994878.2.raw.unpack, type: UNPACKEDPEMatched rule: MSIL_SUSP_OBFUSC_XorStringsNet author = dr4k0nia, description = Detects XorStringsNET string encryption, and other obfuscators derived from it, score = 26/03/2023, version = 1.0, reference = https://github.com/dr4k0nia/yara-rules
                Source: 0.2.Cpvgbsz3gu.exe.38eae28.3.raw.unpack, type: UNPACKEDPEMatched rule: MSIL_SUSP_OBFUSC_XorStringsNet author = dr4k0nia, description = Detects XorStringsNET string encryption, and other obfuscators derived from it, score = 26/03/2023, version = 1.0, reference = https://github.com/dr4k0nia/yara-rules
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeCode function: 0_2_047400400_2_04740040
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeCode function: 0_2_047440200_2_04744020
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeCode function: 0_2_047400070_2_04740007
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeCode function: 1_2_017FA9D81_2_017FA9D8
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeCode function: 1_2_017FC9981_2_017FC998
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeCode function: 1_2_017F9DC01_2_017F9DC0
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeCode function: 1_2_017FA1081_2_017FA108
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeCode function: 1_2_06F3B7A81_2_06F3B7A8
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeCode function: 1_2_06F352281_2_06F35228
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeCode function: 1_2_06F361F81_2_06F361F8
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeCode function: 1_2_06F387B81_2_06F387B8
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeCode function: 1_2_0708356C1_2_0708356C
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeCode function: 1_2_0708FBB01_2_0708FBB0
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeCode function: 1_2_0708A1FC1_2_0708A1FC
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeCode function: 1_2_0708EBB01_2_0708EBB0
                Source: Cpvgbsz3gu.exe, 00000000.00000002.343712436.00000000037DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Cpvgbsz3gu.exe
                Source: Cpvgbsz3gu.exe, 00000000.00000002.343712436.00000000037DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename857b26fb-aee6-4707-9f23-eb8bcc8db6cb.exe4 vs Cpvgbsz3gu.exe
                Source: Cpvgbsz3gu.exe, 00000000.00000000.305070957.0000000000372000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameYIa8Lnj.exe< vs Cpvgbsz3gu.exe
                Source: Cpvgbsz3gu.exe, 00000000.00000002.331388257.0000000002823000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename857b26fb-aee6-4707-9f23-eb8bcc8db6cb.exe4 vs Cpvgbsz3gu.exe
                Source: Cpvgbsz3gu.exe, 00000000.00000002.331388257.0000000002ABD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Cpvgbsz3gu.exe
                Source: Cpvgbsz3gu.exe, 00000000.00000002.358113559.00000000072B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Cpvgbsz3gu.exe
                Source: Cpvgbsz3gu.exe, 00000001.00000002.577221243.000000000188A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Cpvgbsz3gu.exe
                Source: Cpvgbsz3gu.exe, 00000001.00000002.576616790.00000000014F8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Cpvgbsz3gu.exe
                Source: Cpvgbsz3gu.exe, 00000001.00000002.576354013.000000000042C000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename857b26fb-aee6-4707-9f23-eb8bcc8db6cb.exe4 vs Cpvgbsz3gu.exe
                Source: Cpvgbsz3gu.exeBinary or memory string: OriginalFilenameYIa8Lnj.exe< vs Cpvgbsz3gu.exe
                Source: Cpvgbsz3gu.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: Cpvgbsz3gu.exeReversingLabs: Detection: 48%
                Source: Cpvgbsz3gu.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Cpvgbsz3gu.exe C:\Users\user\Desktop\Cpvgbsz3gu.exe
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess created: C:\Users\user\Desktop\Cpvgbsz3gu.exe {path}
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess created: C:\Users\user\Desktop\Cpvgbsz3gu.exe {path}Jump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Cpvgbsz3gu.exe.logJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@4/2
                Source: Cpvgbsz3gu.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: Cpvgbsz3gu.exe, nGgL6XbBbUYVBtSDRB/lMWvyIaOafDQc5MFHs.csCryptographic APIs: 'CreateDecryptor'
                Source: 1.2.Cpvgbsz3gu.exe.400000.0.unpack, A/P1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 1.2.Cpvgbsz3gu.exe.400000.0.unpack, A/P1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: 1.2.Cpvgbsz3gu.exe.400000.0.unpack, a/aA1.csCryptographic APIs: 'TransformFinalBlock'
                Source: 1.2.Cpvgbsz3gu.exe.400000.0.unpack, a/aN1.csCryptographic APIs: 'CreateDecryptor'
                Source: 1.2.Cpvgbsz3gu.exe.400000.0.unpack, a/am2.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                Source: 1.2.Cpvgbsz3gu.exe.400000.0.unpack, a/ak2.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Cpvgbsz3gu.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Cpvgbsz3gu.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Cpvgbsz3gu.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: YIa8Lnj.pdb source: Cpvgbsz3gu.exe

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: Cpvgbsz3gu.exe, nGgL6XbBbUYVBtSDRB/QukawpXNnbSs7fCAuE.cs.Net Code: LAV0v1AXQ7 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: Cpvgbsz3gu.exe, nGgL6XbBbUYVBtSDRB/lMWvyIaOafDQc5MFHs.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeCode function: 1_2_06F3A44F push es; ret 1_2_06F3A460
                Source: initial sampleStatic PE information: section name: .text entropy: 7.140662747957355
                Source: Cpvgbsz3gu.exe, nGgL6XbBbUYVBtSDRB/QukawpXNnbSs7fCAuE.csHigh entropy of concatenated method names: '.ctor', 'Mxg0AKqB08', 'mJ1048o2pp', 'P4k0CKPLZx', 'KXy0DTcS9B', 'dTl0SKI9Vo', 'vA20JUTjFX', 'EBU07LFLKD', 'qyi0f1BAhn', 'tj60l047Nd'
                Source: Cpvgbsz3gu.exe, nGgL6XbBbUYVBtSDRB/BdqaAu6xY0mj2ceBJW.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'Wr2poanLO', 'uk3Vmpy93h', 'BwWVPO7iPZ', 'onkVAmO4n7', 'aqlVRnHG1x', 'touVw5JUup', 'xgkV93A4HT', 'gkBVgekams'
                Source: Cpvgbsz3gu.exe, nGgL6XbBbUYVBtSDRB/LjRxZ8sXAn6kjJxhiy.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'jRqeckiC4m', 'bL1VFu64iu', 'QpHVW4nxL3', 'f26emnHQ2K', 'ASfeP7Q2A0', 'vy9TgO4A4x', 'gEBTB8dTtK', 'p5HTSAYGtg'
                Source: Cpvgbsz3gu.exe, nGgL6XbBbUYVBtSDRB/jq9M772FWIktiMfxiR.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'bfLRCfoWgY', 'eLXnFNG4DA', 'cclnWtufIS', 'co9nEH6Fte', 'iW2n6M1biP', 'AghnbrPJMa', 'olUnKa0byE', 'posnm4egTe'
                Source: Cpvgbsz3gu.exe, nGgL6XbBbUYVBtSDRB/IKpUW3GYjIjQHmcxdx.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'STlyu9B8kq', 'tJPexKla2d', 'y07eCbuGsX', 'TGheSAlq8w', 'V9Ie74vnhA', 'xmmeDZuBRY', 'F2ceHOA7PB', 'oGcekXFYyk'
                Source: Cpvgbsz3gu.exe, nGgL6XbBbUYVBtSDRB/lMWvyIaOafDQc5MFHs.csHigh entropy of concatenated method names: '.cctor', 'VbGHjQtRt3edg', 'FKnkYNHGht', 'D4gkPbla9X', 'A2CkaJr3Ty', 'UaDkbl2PCX', 'hInkUOg3Hu', 'lqIkjwjNkA', 'dXMkGY9JsQ', 'v4OkrMhLdS'
                Source: Cpvgbsz3gu.exe, nGgL6XbBbUYVBtSDRB/ypEO0Jo0DFgulKGvGN.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'PaAEBocYcH', 'amETQcFqRb', 'r6RTpNfpWK', 'KGE2m4FR1d', 'KiL2P16MCG', 'XFN2A1YIUF', 'w5J2Rk6p9D', 'pEqTrVwkvC'
                Source: Cpvgbsz3gu.exe, nGgL6XbBbUYVBtSDRB/sef76UrqimH390Aejj.csHigh entropy of concatenated method names: 'Q0LhZePY9I', 'e18hTq0tbQ', 'lKrhHcxb0K', '.ctor', 'kLjw4iIsCLsZtxc4lksN0j', '.cctor', 'DTbUXN7kUnmPooOuHs', 'eCoqwuhUJnBpYWj3QH', 'bHhmYpsS1uN8vmbrpB', 'd6BXXAOYS2nYRcdrYN'
                Source: Cpvgbsz3gu.exe, nGgL6XbBbUYVBtSDRB/ar1rPZ0oRLR7fDMDkm.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'XoWx9PkHm', 'etmVnNq9NK', 'RkyV2QcgsK', 'dLWVIAvB3p', 'iagVY23LkJ', 'bL1VFu64iu', 'QpHVW4nxL3', 'XUwVErGvdT'
                Source: Cpvgbsz3gu.exe, PingDashboard.My/MySettings.csHigh entropy of concatenated method names: '.cctor', '.ctor', 'AutoSaveSettings', 'get_Default', 'Sc6Y9cRrMCl6GsbFln', 'UPLlhPXnMtpb5c9uO1', 'o9YSaybNMjvnZ7iudT', 'jQvDiWJcmkKjfnaDBv', 'QsY29hdVtCcok3HZJp', 'DGofxtje3hrQmSvVvO'
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: Cpvgbsz3gu.exe PID: 6992, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: Cpvgbsz3gu.exe, 00000000.00000002.331388257.0000000002AB6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                Source: Cpvgbsz3gu.exe, 00000000.00000002.331388257.0000000002AB6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exe TID: 6960Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exe TID: 6988Thread sleep count: 2356 > 30Jump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exe TID: 5276Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exe TID: 5276Thread sleep time: -100000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exe TID: 5276Thread sleep time: -99827s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exe TID: 5276Thread sleep time: -99704s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exe TID: 5276Thread sleep time: -99547s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exe TID: 5276Thread sleep time: -99416s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exe TID: 5276Thread sleep time: -99265s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exe TID: 5276Thread sleep time: -99156s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exe TID: 5276Thread sleep time: -99047s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exe TID: 5276Thread sleep time: -98937s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exe TID: 5276Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeWindow / User API: threadDelayed 2356Jump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeThread delayed: delay time: 100000Jump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeThread delayed: delay time: 99827Jump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeThread delayed: delay time: 99704Jump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeThread delayed: delay time: 99547Jump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeThread delayed: delay time: 99416Jump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeThread delayed: delay time: 99265Jump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeThread delayed: delay time: 99156Jump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeThread delayed: delay time: 99047Jump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeThread delayed: delay time: 98937Jump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: Cpvgbsz3gu.exe, 00000000.00000002.331388257.0000000002AB6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                Source: Cpvgbsz3gu.exe, 00000000.00000002.331388257.0000000002AB6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                Source: Cpvgbsz3gu.exe, 00000000.00000002.331388257.0000000002AB6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: Cpvgbsz3gu.exe, 00000000.00000002.331388257.0000000002AB6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                Source: Cpvgbsz3gu.exe, 00000000.00000002.331388257.0000000002AB6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                Source: Cpvgbsz3gu.exe, 00000000.00000002.331388257.0000000002AB6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                Source: Cpvgbsz3gu.exe, 00000000.00000002.331388257.0000000002AB6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                Source: Cpvgbsz3gu.exe, 00000000.00000002.331388257.0000000002AB6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                Source: Cpvgbsz3gu.exe, 00000000.00000002.331388257.0000000002AB6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                Source: Cpvgbsz3gu.exe, 00000001.00000003.351758903.0000000001937000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                .NET source code references suspicious native API functions
                Source: Cpvgbsz3gu.exe, nGgL6XbBbUYVBtSDRB/lMWvyIaOafDQc5MFHs.csReference to suspicious API methods: ('z50kmEQBY5', 'LoadLibrary@kernel32'), ('LIBkpRmPbH', 'GetProcAddress@kernel32')
                Source: 1.2.Cpvgbsz3gu.exe.400000.0.unpack, A/C1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeMemory written: C:\Users\user\Desktop\Cpvgbsz3gu.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeProcess created: C:\Users\user\Desktop\Cpvgbsz3gu.exe {path}Jump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Users\user\Desktop\Cpvgbsz3gu.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Users\user\Desktop\Cpvgbsz3gu.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeCode function: 1_2_017FF164 GetUserNameW,1_2_017FF164

                Stealing of Sensitive Information

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 00000001.00000002.578029102.00000000033AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Cpvgbsz3gu.exe PID: 3216, type: MEMORYSTR
                Source: Yara matchFile source: 0.2.Cpvgbsz3gu.exe.3994878.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Cpvgbsz3gu.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Cpvgbsz3gu.exe.3994878.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Cpvgbsz3gu.exe.38eae28.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.576354013.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.343712436.00000000037DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\Cpvgbsz3gu.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: Yara matchFile source: 00000001.00000002.578029102.00000000033AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Cpvgbsz3gu.exe PID: 3216, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: 00000001.00000002.578029102.00000000033AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Cpvgbsz3gu.exe PID: 3216, type: MEMORYSTR
                Source: Yara matchFile source: 0.2.Cpvgbsz3gu.exe.3994878.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.Cpvgbsz3gu.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Cpvgbsz3gu.exe.3994878.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Cpvgbsz3gu.exe.38eae28.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.576354013.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.343712436.00000000037DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts211
                Windows Management Instrumentation                		Path Interception111
                Process Injection                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		1
                Account Discovery                		Remote Services11
                Archive Collected Data                		Exfiltration Over Other Network Medium1
                Ingress Tool Transfer                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default Accounts1
                Native API                		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                Deobfuscate/Decode Files or Information                		1
                Credentials in Registry                		114
                System Information Discovery                		Remote Desktop Protocol1
                Data from Local System                		Exfiltration Over Bluetooth11
                Encrypted Channel                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)3
                Obfuscated Files or Information                		Security Account Manager1
                Query Registry                		SMB/Windows Admin Shares1
                Email Collection                		Automated Exfiltration1
                Non-Standard Port                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)23
                Software Packing                		NTDS211
                Security Software Discovery                		Distributed Component Object ModelInput CaptureScheduled Transfer2
                Non-Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                Masquerading                		LSA Secrets131
                Virtualization/Sandbox Evasion                		SSHKeyloggingData Transfer Size Limits23
                Application Layer Protocol                		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common131
                Virtualization/Sandbox Evasion                		Cached Domain Credentials1
                Application Window Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items111
                Process Injection                		DCSync1
                System Owner/User Discovery                		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                Remote System Discovery                		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                System Network Configuration Discovery                		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.