Edit tour

Windows Analysis Report
LSVRQikoT1.exe

Overview

General Information

Sample name:	LSVRQikoT1.exe renamed because original name is a hash value
Original sample name:	cd2b2bcbf83000676ef4037dbb03bb66.exe
Analysis ID:	1646252
MD5:	cd2b2bcbf83000676ef4037dbb03bb66
SHA1:	ff10325598dc14f9262cf7935ee3be30885ba64a
SHA256:	f7d131d6a5c70ff070c398c077889ec22598e92b456a1b199b320579b5f44599
Tags:	exeuser-abuse_ch
Infos:

Detection

Score:	56
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Joe Sandbox ML detected suspicious sample

Tries to detect virtualization through RDTSC time measurements

Detected TCP or UDP traffic on non-standard ports

Program does not show much activity (idle)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Classification

Process Tree

System is w10x64

LSVRQikoT1.exe (PID: 7256 cmdline: "C:\Users\user\Desktop\LSVRQikoT1.exe" MD5: CD2B2BCBF83000676EF4037DBB03BB66)

cleanup

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: LSVRQikoT1.exe	ReversingLabs: Detection: 47%
Source: LSVRQikoT1.exe	Virustotal: Detection: 42%			Perma Link

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: LSVRQikoT1.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: global traffic

TCP traffic: 192.168.2.4:49717 -> 8.129.15.38:8010

Source: unknown	TCP traffic detected without corresponding DNS query: 8.129.15.38
Source: unknown	TCP traffic detected without corresponding DNS query: 8.129.15.38
Source: unknown	TCP traffic detected without corresponding DNS query: 8.129.15.38
Source: unknown	TCP traffic detected without corresponding DNS query: 8.129.15.38
Source: unknown	TCP traffic detected without corresponding DNS query: 8.129.15.38
Source: unknown	TCP traffic detected without corresponding DNS query: 8.129.15.38
Source: unknown	TCP traffic detected without corresponding DNS query: 8.129.15.38
Source: unknown	TCP traffic detected without corresponding DNS query: 8.129.15.38
Source: unknown	TCP traffic detected without corresponding DNS query: 8.129.15.38
Source: unknown	TCP traffic detected without corresponding DNS query: 8.129.15.38

Source: LSVRQikoT1.exe, 00000000.00000002.2431769125.00000000042F0000.00000004.00000020.00020000.00000000.sdmp, LSVRQikoT1.exe, 00000000.00000002.2432023889.0000000004638000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://8.129.15.38:70
Source: LSVRQikoT1.exe	String found in binary or memory: http://pan.baidu.com/s/1qWKD5ve
Source: LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: LSVRQikoT1.exe, 00000000.00000003.1180524509.00000000029FB000.00000004.00000020.00020000.00000000.sdmp, LSVRQikoT1.exe, 00000000.00000003.1180955893.00000000029FB000.00000004.00000020.00020000.00000000.sdmp, LSVRQikoT1.exe, 00000000.00000003.1180148778.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, LSVRQikoT1.exe, 00000000.00000003.1181097459.00000000029FB000.00000004.00000020.00020000.00000000.sdmp, LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp, LSVRQikoT1.exe, 00000000.00000003.1180009625.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, LSVRQikoT1.exe, 00000000.00000003.1181644610.00000000029FB000.00000004.00000020.00020000.00000000.sdmp, LSVRQikoT1.exe, 00000000.00000003.1180524509.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, LSVRQikoT1.exe, 00000000.00000003.1180955893.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, LSVRQikoT1.exe, 00000000.00000003.1180148778.00000000029FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: LSVRQikoT1.exe, 00000000.00000003.1180148778.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, LSVRQikoT1.exe, 00000000.00000003.1180524509.00000000029FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com&
Source: LSVRQikoT1.exe, 00000000.00000003.1180148778.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, LSVRQikoT1.exe, 00000000.00000003.1180009625.00000000029FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.comN
Source: LSVRQikoT1.exe, 00000000.00000003.1180148778.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, LSVRQikoT1.exe, 00000000.00000003.1180009625.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, LSVRQikoT1.exe, 00000000.00000003.1180524509.00000000029FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.comj
Source: LSVRQikoT1.exe, 00000000.00000003.1179472989.0000000002A01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.como
Source: LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: LSVRQikoT1.exe, 00000000.00000003.1196619923.00000000029E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/-n
Source: LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: LSVRQikoT1.exe, 00000000.00000003.1177156873.00000000029FB000.00000004.00000020.00020000.00000000.sdmp, LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: LSVRQikoT1.exe, 00000000.00000003.1193352841.00000000029FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comcom
Source: LSVRQikoT1.exe, 00000000.00000003.1203079510.00000000029FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.comnM
Source: LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: LSVRQikoT1.exe	String found in binary or memory: http://www.youku.com/playlist_show/id_25824322.html
Source: LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: LSVRQikoT1.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal56.evad.winEXE@1/0@0/1

Source: LSVRQikoT1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\LSVRQikoT1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LSVRQikoT1.exe	ReversingLabs: Detection: 47%
Source: LSVRQikoT1.exe	Virustotal: Detection: 42%

Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Section loaded: textshaping.dll	Jump to behavior

Source: LSVRQikoT1.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: LSVRQikoT1.exe

Static file information: File size 5210112 > 1048576

Source: LSVRQikoT1.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x370000
Source: LSVRQikoT1.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x11c000

Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\LSVRQikoT1.exe

RDTSC instruction interceptor: First address: 41C6EC second address: 41C6EC instructions: 0x00000000 rdtsc 0x00000002 imul eax, eax, 000343FDh 0x00000008 add eax, 00269EC3h 0x0000000d shr eax, 10h 0x00000010 and eax, 00007FFFh 0x00000015 mov ecx, dword ptr [ebp+10h] 0x00000018 test ecx, ecx 0x0000001a jne 00007F3AB10B37E7h 0x0000001c sub ecx, dword ptr [ebp+08h] 0x0000001f inc ecx 0x00000020 xor edx, edx 0x00000022 div ecx 0x00000024 add edx, dword ptr [ebp+08h] 0x00000027 mov eax, edx 0x00000029 pop edx 0x0000002a pop ecx 0x0000002b mov esp, ebp 0x0000002d pop ebp 0x0000002e retn 0010h 0x00000031 mov dword ptr [ebp-0Ch], eax 0x00000034 call 00007F3AB10B42AAh 0x00000039 push ebp 0x0000003a mov ebp, esp 0x0000003c sub esp, 00000018h 0x00000042 mov dword ptr [ebp-04h], 00000000h 0x00000049 mov dword ptr [ebp-08h], 00000000h 0x00000050 push 00000001h 0x00000052 push 00000007h 0x00000057 push 00000001h 0x00000059 push 00000004h 0x0000005e call 00007F3AB10B3770h 0x00000063 push ebp 0x00000064 mov ebp, esp 0x00000066 push ecx 0x00000067 push edx 0x00000068 rdtsc

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\LSVRQikoT1.exe

File opened: PhysicalDrive0

Jump to behavior

Source: LSVRQikoT1.exe, 00000000.00000002.2429316319.000000000097E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\LSVRQikoT1.exe

Process information queried: ProcessInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\LSVRQikoT1.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	OS Credential Dumping	111 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	121 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LSVRQikoT1.exe	47%	ReversingLabs	Win32.Trojan.Generic
LSVRQikoT1.exe	42%	Virustotal		Browse

Source	Detection	Scanner	Label
http://www.fonts.comj	0%	Avira URL Cloud	safe
http://www.fonts.comN	0%	Avira URL Cloud	safe
http://www.fonts.com&	0%	Avira URL Cloud	safe
http://8.129.15.38:70	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/-n	0%	Avira URL Cloud	safe
http://www.tiro.comcom	0%	Avira URL Cloud	safe
http://www.tiro.comnM	0%	Avira URL Cloud	safe
http://www.fonts.como	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com&	LSVRQikoT1.exe, 00000000.00000003.1180148778.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, LSVRQikoT1.exe, 00000000.00000003.1180524509.00000000029FF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.comj	LSVRQikoT1.exe, 00000000.00000003.1180148778.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, LSVRQikoT1.exe, 00000000.00000003.1180009625.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, LSVRQikoT1.exe, 00000000.00000003.1180524509.00000000029FF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.comN	LSVRQikoT1.exe, 00000000.00000003.1180148778.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, LSVRQikoT1.exe, 00000000.00000003.1180009625.00000000029FF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers	LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://8.129.15.38:70	LSVRQikoT1.exe, 00000000.00000002.2431769125.00000000042F0000.00000004.00000020.00020000.00000000.sdmp, LSVRQikoT1.exe, 00000000.00000002.2432023889.0000000004638000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	LSVRQikoT1.exe, 00000000.00000003.1177156873.00000000029FB000.00000004.00000020.00020000.00000000.sdmp, LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.comcom	LSVRQikoT1.exe, 00000000.00000003.1193352841.00000000029FB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netD	LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.youku.com/playlist_show/id_25824322.html	LSVRQikoT1.exe	false		high
http://www.galapagosdesign.com/DPlease	LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.como	LSVRQikoT1.exe, 00000000.00000003.1179472989.0000000002A01000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	LSVRQikoT1.exe, 00000000.00000003.1180524509.00000000029FB000.00000004.00000020.00020000.00000000.sdmp, LSVRQikoT1.exe, 00000000.00000003.1180955893.00000000029FB000.00000004.00000020.00020000.00000000.sdmp, LSVRQikoT1.exe, 00000000.00000003.1180148778.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, LSVRQikoT1.exe, 00000000.00000003.1181097459.00000000029FB000.00000004.00000020.00020000.00000000.sdmp, LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp, LSVRQikoT1.exe, 00000000.00000003.1180009625.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, LSVRQikoT1.exe, 00000000.00000003.1181644610.00000000029FB000.00000004.00000020.00020000.00000000.sdmp, LSVRQikoT1.exe, 00000000.00000003.1180524509.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, LSVRQikoT1.exe, 00000000.00000003.1180955893.00000000029FF000.00000004.00000020.00020000.00000000.sdmp, LSVRQikoT1.exe, 00000000.00000003.1180148778.00000000029FB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pan.baidu.com/s/1qWKD5ve	LSVRQikoT1.exe	false		high
http://www.urwpp.deDPlease	LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/-n	LSVRQikoT1.exe, 00000000.00000003.1196619923.00000000029E5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sakkal.com	LSVRQikoT1.exe, 00000000.00000002.2431212711.0000000003F12000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.comnM	LSVRQikoT1.exe, 00000000.00000003.1203079510.00000000029FB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
8.129.15.38	unknown	Singapore		37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1646252
Start date and time:	2025-03-23 19:13:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LSVRQikoT1.exe renamed because original name is a hash value
Original Sample Name:	cd2b2bcbf83000676ef4037dbb03bb66.exe
Detection:	MAL
Classification:	mal56.evad.winEXE@1/0@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.31.69.3, 4.245.163.56
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtProtectVirtualMemory calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	KHoDN.76532.10.exe	Get hash	malicious	Unknown	Browse	118.178.60.98
	KHoDN.76532.10.exe	Get hash	malicious	Unknown	Browse	39.103.20.80
	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	39.108.250.197
	loligang.x86.elf	Get hash	malicious	Mirai	Browse	39.96.157.212
	NKHod.76452.04.exe	Get hash	malicious	Unknown	Browse	118.178.60.98
	ooDglrtbdQ.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	121.40.100.192
	NHOji.25731.03.exe	Get hash	malicious	Unknown	Browse	39.103.20.35
	resgod.x86.elf	Get hash	malicious	Mirai	Browse	223.7.75.51
	resgod.spc.elf	Get hash	malicious	Mirai	Browse	121.42.103.67
	hoho.m68k.elf	Get hash	malicious	Unknown	Browse	101.200.226.244

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.588418822988679
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LSVRQikoT1.exe
File size:	5'210'112 bytes
MD5:	cd2b2bcbf83000676ef4037dbb03bb66
SHA1:	ff10325598dc14f9262cf7935ee3be30885ba64a
SHA256:	f7d131d6a5c70ff070c398c077889ec22598e92b456a1b199b320579b5f44599
SHA512:	3f3571ad91b06337a6bd1d5afb55247633710abe15d8816ec7ce95b19ec5ceb57a128027eaa6fd1f862ad3c1f06e8cf39c16ff357dab61c2acc51dc755e20b37
SSDEEP:	49152:b5Qyek0/WQInPS5WDHX+s8KuqGaX0ToIBAUZLY:PB0/5S8JBAUZL
TLSH:	70364C237410D440E8410B7BE5A2563874AA1F54B8FAC443FB4CBE67B9797136A2FB1B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c.._'a..'a..'a..H~...a..H~..!a...}...a..\}.."a...n.. a..'a..3b...n...a...G...a...G..Ha...~..Fa...~..:a..'a...a...g..&a..Rich'a.

File Icon


Icon Hash:	aaf2e3e39383aa00

Static PE Info

General

Entrypoint:	0x74fe61
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x67DCC5DE [Fri Mar 21 01:50:22 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	947d8c41fecfe945777a01ed996308f0

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00881BD8h
push 0075276Ch
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [00771340h]
xor edx, edx
mov dl, ah
mov dword ptr [009318CCh], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [009318C8h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [009318C4h], ecx
shr eax, 10h
mov dword ptr [009318C0h], eax
push 00000001h
call 00007F3AB080E61Ch
pop ecx
test eax, eax
jne 00007F3AB080865Ah
push 0000001Ch
call 00007F3AB0808718h
pop ecx
call 00007F3AB080E3C7h
test eax, eax
jne 00007F3AB080865Ah
push 00000010h
call 00007F3AB0808707h
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007F3AB080E1F5h
call dword ptr [0077122Ch]
mov dword ptr [00936B24h], eax
call 00007F3AB080E0B3h
mov dword ptr [00931838h], eax
call 00007F3AB080DE5Ch
call 00007F3AB080DD9Eh
call 00007F3AB080CD74h
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [007711B8h]
call 00007F3AB080DD2Fh
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007F3AB0808658h
movzx eax, word ptr [ebp+00h]

Rich Headers

Programming Language:

[ C ] VS98 (6.0) SP6 build 8804
[C++] VS98 (6.0) SP6 build 8804
[C++] VS98 (6.0) build 8168
[ C ] VS98 (6.0) build 8168
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x489928	0x1cc	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x537000	0x5e00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x371000	0x988	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x36fe22	0x370000	0a4bcaf7b074010307014728a3847f2e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x371000	0x11bc26	0x11c000	e3ea2289e674c480d67a9275476e735c	False	0.6583793532680458	data	7.271031752090512	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x48d000	0xa9b2a	0x65000	ecde1c1d9ae35f2572c330ef2bb1bf3a	False	0.2311214031559406	data	5.508119211086441	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x537000	0x5e00	0x6000	1c45db49f6ac39bb7caff57fa44dd03a	False	0.3072509765625	data	4.776831715287439	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
TEXTINCLUDE	0x5389b0	0xb	ASCII text, with no line terminators	Chinese	China	1.7272727272727273
TEXTINCLUDE	0x5389c0	0x16	data	Chinese	China	1.3636363636363635
TEXTINCLUDE	0x5389d8	0x151	C source, ASCII text, with CRLF line terminators	Chinese	China	0.6201780415430267
RT_CURSOR	0x53a290	0x134	data	Chinese	China	0.5811688311688312
RT_CURSOR	0x53a3e0	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	Chinese	China	0.37662337662337664
RT_CURSOR	0x53a530	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	Chinese	China	0.4805194805194805
RT_CURSOR	0x53a668	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	Chinese	China	0.7
RT_BITMAP	0x537b60	0x248	Device independent bitmap graphic, 64 x 15 x 4, image size 480	Chinese	China	0.3407534246575342
RT_BITMAP	0x537da8	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Chinese	China	0.4444444444444444
RT_BITMAP	0x537ef0	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.26453488372093026
RT_BITMAP	0x538048	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2616279069767442
RT_BITMAP	0x5381a0	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2441860465116279
RT_BITMAP	0x5382f8	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.24709302325581395
RT_BITMAP	0x538450	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2238372093023256
RT_BITMAP	0x5385a8	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.19476744186046513
RT_BITMAP	0x538700	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.20930232558139536
RT_BITMAP	0x538858	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.18895348837209303
RT_BITMAP	0x53a748	0x5e4	Device independent bitmap graphic, 70 x 39 x 4, image size 1404	Chinese	China	0.34615384615384615
RT_BITMAP	0x53ae18	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	Chinese	China	0.44565217391304346
RT_BITMAP	0x53aed0	0x16c	Device independent bitmap graphic, 39 x 13 x 4, image size 260	Chinese	China	0.28296703296703296
RT_BITMAP	0x53b040	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Chinese	China	0.37962962962962965
RT_ICON	0x538b30	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Chinese	China	0.26344086021505375
RT_ICON	0x538e30	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Chinese	China	0.41216216216216217
RT_ICON	0x53ba80	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4136			0.25140712945590993
RT_MENU	0x539ff8	0xc	data	Chinese	China	1.5
RT_MENU	0x53a008	0x284	data	Chinese	China	0.5
RT_DIALOG	0x539ce0	0x98	data	Chinese	China	0.7171052631578947
RT_DIALOG	0x539d78	0x17a	data	Chinese	China	0.5185185185185185
RT_DIALOG	0x539ef8	0xfa	data	Chinese	China	0.696
RT_DIALOG	0x5399a8	0xea	data	Chinese	China	0.6239316239316239
RT_DIALOG	0x538f70	0x8ae	data	Chinese	China	0.39603960396039606
RT_DIALOG	0x539820	0xb2	data	Chinese	China	0.7359550561797753
RT_DIALOG	0x5398d8	0xcc	data	Chinese	China	0.7647058823529411
RT_DIALOG	0x539a98	0xb2	data	Chinese	China	0.6629213483146067
RT_DIALOG	0x53ad30	0xe2	data	Chinese	China	0.6637168141592921
RT_DIALOG	0x539b50	0x18c	data	Chinese	China	0.5227272727272727
RT_STRING	0x53b188	0x50	data	Chinese	China	0.85
RT_STRING	0x53b1d8	0x2c	data	Chinese	China	0.5909090909090909
RT_STRING	0x53b208	0x78	data	Chinese	China	0.925
RT_STRING	0x53b280	0x1c4	data	Chinese	China	0.8141592920353983
RT_STRING	0x53b5d0	0x12a	data	Chinese	China	0.5201342281879194
RT_STRING	0x53b488	0x146	data	Chinese	China	0.6288343558282209
RT_STRING	0x53b448	0x40	data	Chinese	China	0.65625
RT_STRING	0x53b9f0	0x64	data	Chinese	China	0.73
RT_STRING	0x53b700	0x1d8	data	Chinese	China	0.6758474576271186
RT_STRING	0x53b8d8	0x114	data	Chinese	China	0.6376811594202898
RT_STRING	0x53ba58	0x24	data	Chinese	China	0.4444444444444444
RT_GROUP_CURSOR	0x53a518	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.25
RT_GROUP_CURSOR	0x53a3c8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.25
RT_GROUP_CURSOR	0x53a720	0x22	Lotus unknown worksheet or configuration, revision 0x2	Chinese	China	1.0294117647058822
RT_GROUP_ICON	0x53cb28	0x14	data			1.2
RT_GROUP_ICON	0x538e18	0x14	data	Chinese	China	1.2
RT_GROUP_ICON	0x538f58	0x14	data	Chinese	China	1.25
RT_MANIFEST	0x53cb40	0x2b9	XML 1.0 document, ASCII text, with very long lines (697), with no line terminators			0.5279770444763271

Imports

DLL	Import
kernel32.dll	WriteFile, CloseHandle, GetModuleFileNameA, CreateFileA, HeapFree, LocalSize, HeapReAlloc, HeapAlloc, ExitProcess, GetTickCount, GetTempPathA, Sleep, GetLocalTime, GetCurrentDirectoryA, ReadFile, IsBadReadPtr, GetProcessHeap, VirtualAlloc, VirtualProtectEx, WideCharToMultiByte, LocalAlloc, lstrlenW, GetFileSize, FreeLibrary, LoadLibraryA, LCMapStringA, FlushFileBuffers, MapViewOfFile, LCMapStringW, IsBadCodePtr, SetUnhandledExceptionFilter, InterlockedIncrement, InterlockedDecrement, SetFilePointer, GetStringTypeW, GetStringTypeA, GetOEMCP, GetCommandLineA, GetVersion, RtlUnwind, TerminateProcess, GetCurrentProcess, GetCurrentThreadId, TlsSetValue, TlsAlloc, GetModuleHandleA, SetStdHandle, RtlMoveMemory, LocalFree, GlobalAlloc, GlobalLock, TlsFree, SetLastError, TlsGetValue, GetLastError, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, RaiseException, GlobalUnlock, GlobalFree, LoadLibraryW, GetProcAddress, MultiByteToWideChar, CreateFileMappingA, IsBadWritePtr, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetCPInfo, GetACP
user32.dll	MessageBoxA, ShowWindow, TrackMouseEvent, CallWindowProcA, IsWindow, ReleaseDC, UpdateLayeredWindow, GetDC, wsprintfA, GetWindowLongA, DispatchMessageA, OpenClipboard, GetSystemMetrics, GetClassNameA, EnumWindows, GetCursorPos, GetClipboardData, GetMessageA, PeekMessageA, GetAncestor, GetWindowRect, TranslateMessage, CreateWindowExA, SendMessageA, EnumChildWindows, GetPropA, SetPropA, CloseClipboard
gdi32.dll	CreateCompatibleDC, SelectObject, DeleteDC, CreateDIBSection, DeleteObject
gdiplus.dll	GdipGetRegionBounds, GdipCreateFromHDC, GdipCreateBitmapFromScan0, GdipGetImageGraphicsContext, GdipDisposeImage, GdiplusStartup, GdipSetSolidFillColor, GdipCreateSolidFill, GdipDeleteBrush, GdipSetTextRenderingHint, GdipLoadImageFromStream, GdipLoadImageFromFile, GdipDrawRectangleI, GdipGetImageWidth, GdipDeletePen, GdipSetSmoothingMode, GdipGetImageHeight
ole32.dll	OleInitialize, OleUninitialize, CLSIDFromString, CreateStreamOnHGlobal, CLSIDFromString
imm32.dll	ImmGetContext, ImmAssociateContext, ImmGetCompositionStringW, ImmReleaseContext, ImmSetCompositionWindow
shell32.dll	ShellExecuteA, SHAppBarMessage
shlwapi.dll	PathFileExistsA
winmm.dll	PlaySoundA
WINMM.dll	midiStreamProperty, midiOutPrepareHeader, midiStreamOut, midiStreamOpen, midiOutUnprepareHeader, waveOutRestart, waveOutUnprepareHeader, waveOutPrepareHeader, waveOutWrite, waveOutPause, waveOutReset, waveOutClose, waveOutGetNumDevs, midiStreamStop, midiOutReset, midiStreamClose, midiStreamRestart, waveOutOpen
WS2_32.dll	WSAAsyncSelect, closesocket, send, select, WSAStartup, gethostbyname, inet_ntoa, recvfrom, ioctlsocket, recv, getpeername, accept, ntohl, WSACleanup
RASAPI32.dll	RasGetConnectStatusA, RasHangUpA
KERNEL32.dll	VirtualFree, HeapCreate, HeapDestroy, GetEnvironmentVariableA, GetStdHandle, SetHandleCount, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, GetFileType, SetStdHandle, HeapSize, RaiseException, GetLocalTime, GetSystemTime, RtlUnwind, GetStartupInfoA, GetOEMCP, GetCPInfo, GetProcessVersion, SetErrorMode, GlobalFlags, GetCurrentThread, GetFileTime, TlsGetValue, LocalReAlloc, TlsSetValue, TlsFree, GlobalHandle, TlsAlloc, LocalAlloc, lstrcmpA, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, SetEnvironmentVariableA, LCMapStringA, LCMapStringW, VirtualAlloc, IsBadWritePtr, SetUnhandledExceptionFilter, CloseHandle, WaitForSingleObject, GetTickCount, GetCommandLineA, MulDiv, GetProcAddress, GetModuleHandleA, GetVolumeInformationA, SetCurrentDirectoryA, GetFileAttributesA, FindClose, FindFirstFileA, GetTempPathA, GlobalUnlock, GlobalLock, GlobalAlloc, Sleep, CreateEventA, CreateThread, GetPrivateProfileStringA, WritePrivateProfileStringA, GetVersionExA, GetLastError, LoadLibraryA, FreeLibrary, GetFullPathNameA, HeapAlloc, GetProcessHeap, HeapReAlloc, HeapFree, GlobalReAlloc, FindNextFileA, lstrcpyA, WinExec, lstrlenA, lstrcatA, InitializeCriticalSection, DeleteCriticalSection, GlobalFree, GlobalSize, ExitProcess, GetCurrentThreadId, MultiByteToWideChar, WideCharToMultiByte, GetModuleFileNameA, ReadFile, LockResource, LoadResource, FindResourceA, SetEvent, CreateFileA, WaitForMultipleObjects, WriteFile, GetProfileStringA, LeaveCriticalSection, EnterCriticalSection, ReleaseSemaphore, ResumeThread, CreateSemaphoreA, TerminateThread, Process32Next, Process32First, CreateToolhelp32Snapshot, SetFilePointer, GetFileSize, GetCurrentProcess, TerminateProcess, OpenProcess, GetWindowsDirectoryA, GetSystemDirectoryA, SetLastError, GetTimeZoneInformation, GetVersion, FileTimeToSystemTime, CreateMutexA, ReleaseMutex, SuspendThread, GetACP, GetStringTypeA, GetStringTypeW, CompareStringA, CompareStringW, IsBadReadPtr, IsBadCodePtr, InterlockedExchange, lstrcmpiA, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, DuplicateHandle, lstrcpynA, FileTimeToLocalFileTime, LocalFree, InterlockedDecrement, InterlockedIncrement
USER32.dll	DrawIconEx, CreateIconFromResource, CreateIconFromResourceEx, RegisterClipboardFormatA, SetRectEmpty, DispatchMessageA, GetMessageA, WindowFromPoint, DrawFocusRect, DrawEdge, DrawFrameControl, TranslateMessage, LoadIconA, GetDesktopWindow, GetClassNameA, GetWindowThreadProcessId, FindWindowA, UnregisterClassA, GetWindowTextA, SetWindowTextA, GetForegroundWindow, EqualRect, UpdateWindow, ValidateRect, InvalidateRect, CreatePopupMenu, GetClientRect, GetFocus, GetParent, GetTopWindow, PostMessageA, IsWindow, SetParent, DestroyCursor, SendMessageA, SetWindowPos, MessageBoxA, GetCursorPos, GetSystemMetrics, EmptyClipboard, SetClipboardData, OpenClipboard, GetClipboardData, CloseClipboard, wsprintfA, IsZoomed, GetClassInfoA, DefWindowProcA, GetSystemMenu, GetWindowRect, DeleteMenu, GetMenu, SetMenu, PeekMessageA, IsIconic, SetFocus, GetActiveWindow, GetWindow, GetDlgCtrlID, AppendMenuA, ModifyMenuA, CreateMenu, GetWindowTextLengthA, CharUpperA, GetWindowDC, BeginPaint, EndPaint, TabbedTextOutA, DrawTextA, GrayStringA, DestroyWindow, CreateDialogIndirectParamA, EndDialog, GetNextDlgTabItem, GetWindowPlacement, RegisterWindowMessageA, GetLastActivePopup, GetMessageTime, RemovePropA, CallWindowProcA, GetPropA, UnhookWindowsHookEx, SetPropA, GetClassLongA, CallNextHookEx, SetWindowsHookExA, CreateWindowExA, GetMenuItemID, GetMenuItemCount, RegisterClassA, GetScrollPos, AdjustWindowRectEx, MapWindowPoints, SendDlgItemMessageA, ScrollWindowEx, IsDialogMessageA, MoveWindow, CheckMenuItem, SetMenuItemBitmaps, GetMenuState, GetMenuCheckMarkDimensions, LoadStringA, GetSysColorBrush, GetSubMenu, DestroyAcceleratorTable, SetWindowRgn, GetMessagePos, ScreenToClient, ChildWindowFromPointEx, CopyRect, LoadBitmapA, EnableMenuItem, ClientToScreen, EnumDisplaySettingsA, LoadImageA, SystemParametersInfoA, ShowWindow, IsWindowEnabled, TranslateAcceleratorA, GetKeyState, CopyAcceleratorTableA, CreateAcceleratorTableA, WinHelpA, KillTimer, SetTimer, ReleaseCapture, GetCapture, SetCapture, GetScrollRange, SetScrollRange, SetScrollPos, SetRect, InflateRect, IntersectRect, DestroyIcon, PtInRect, OffsetRect, IsWindowVisible, EnableWindow, RedrawWindow, GetWindowLongA, SetWindowLongA, GetSysColor, SetActiveWindow, SetCursorPos, LoadCursorA, SetCursor, GetDC, FillRect, IsRectEmpty, ReleaseDC, IsChild, DestroyMenu, SetForegroundWindow, PostQuitMessage, GetDlgItem
GDI32.dll	LineTo, MoveToEx, ExcludeClipRect, GetClipBox, ScaleWindowExtEx, SetWindowExtEx, SetWindowOrgEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SetMapMode, SetTextColor, SetROP2, SetPolyFillMode, SetBkMode, RestoreDC, SaveDC, ExtSelectClipRgn, GetViewportExtEx, PtVisible, RectVisible, TextOutA, ExtTextOutA, Escape, GetTextMetricsA, GetTextExtentPoint32A, RoundRect, GetCurrentObject, DPtoLP, LPtoDP, Rectangle, Ellipse, CreateCompatibleDC, SetBkColor, CreateRectRgnIndirect, SetStretchBltMode, GetClipRgn, CreatePolygonRgn, SelectClipRgn, DeleteObject, CreateDIBitmap, GetSystemPaletteEntries, CreatePalette, StretchBlt, SelectPalette, RealizePalette, GetDIBits, GetWindowExtEx, GetViewportOrgEx, GetWindowOrgEx, BeginPath, EndPath, PathToRegion, BitBlt, StartPage, StartDocA, DeleteDC, EndDoc, EndPage, GetObjectA, GetStockObject, CreateFontIndirectA, CreateSolidBrush, FillRgn, CreateRectRgn, CombineRgn, PatBlt, CreatePen, CreateEllipticRgn, CreateRoundRectRgn, GetTextColor, GetBkMode, GetBkColor, GetROP2, GetStretchBltMode, GetPolyFillMode, CreateCompatibleBitmap, CreateDCA, SelectObject, CreateBitmap, GetDeviceCaps
WINSPOOL.DRV	DocumentPropertiesA, OpenPrinterA, ClosePrinter
ADVAPI32.dll	RegCloseKey, RegOpenKeyExA, RegCreateKeyExA, RegSetValueExA, RegQueryValueA
SHELL32.dll	SHGetSpecialFolderPathA, Shell_NotifyIconA, ShellExecuteA
OLEAUT32.dll	UnRegisterTypeLib, LoadTypeLib, RegisterTypeLib
COMCTL32.dll	ImageList_Destroy
WININET.dll	InternetCloseHandle, InternetOpenA, InternetSetOptionA, InternetConnectA, InternetReadFile, HttpQueryInfoA, HttpSendRequestA, HttpOpenRequestA, InternetCrackUrlA, InternetCanonicalizeUrlA
comdlg32.dll	GetOpenFileNameA, GetSaveFileNameA, GetFileTitleA, ChooseColorA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Network Behavior

Download Network PCAP: filtered – full

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 23, 2025 19:14:26.180108070 CET	49717	8010	192.168.2.4	8.129.15.38
Mar 23, 2025 19:14:26.537875891 CET	8010	49717	8.129.15.38	192.168.2.4
Mar 23, 2025 19:14:26.538006067 CET	49717	8010	192.168.2.4	8.129.15.38
Mar 23, 2025 19:14:26.539021969 CET	49717	8010	192.168.2.4	8.129.15.38
Mar 23, 2025 19:14:26.932677031 CET	8010	49717	8.129.15.38	192.168.2.4
Mar 23, 2025 19:14:26.937531948 CET	49717	8010	192.168.2.4	8.129.15.38
Mar 23, 2025 19:14:26.939973116 CET	49719	8010	192.168.2.4	8.129.15.38
Mar 23, 2025 19:14:27.266226053 CET	8010	49719	8.129.15.38	192.168.2.4
Mar 23, 2025 19:14:27.266329050 CET	49719	8010	192.168.2.4	8.129.15.38
Mar 23, 2025 19:14:27.266580105 CET	49719	8010	192.168.2.4	8.129.15.38
Mar 23, 2025 19:14:27.295290947 CET	8010	49717	8.129.15.38	192.168.2.4
Mar 23, 2025 19:14:27.295325041 CET	8010	49717	8.129.15.38	192.168.2.4
Mar 23, 2025 19:14:27.295423985 CET	49717	8010	192.168.2.4	8.129.15.38
Mar 23, 2025 19:14:27.636420965 CET	8010	49719	8.129.15.38	192.168.2.4
Mar 23, 2025 19:14:27.666980982 CET	8010	49719	8.129.15.38	192.168.2.4
Mar 23, 2025 19:14:27.667289972 CET	49719	8010	192.168.2.4	8.129.15.38
Mar 23, 2025 19:14:27.990552902 CET	8010	49719	8.129.15.38	192.168.2.4
Mar 23, 2025 19:14:27.990578890 CET	8010	49719	8.129.15.38	192.168.2.4
Mar 23, 2025 19:14:27.990655899 CET	49719	8010	192.168.2.4	8.129.15.38

Statistics

CPU Usage

• LSVRQikoT1.exe

Click to jump to process

Memory Usage

• LSVRQikoT1.exe

Click to jump to process

High Level Behavior Distribution

• File
• Network

Click to dive into process behavior distribution

Target ID:	0
Start time:	14:14:12
Start date:	23/03/2025
Path:	C:\Users\user\Desktop\LSVRQikoT1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LSVRQikoT1.exe"
Imagebase:	0x400000
File size:	5'210'112 bytes
MD5 hash:	CD2B2BCBF83000676EF4037DBB03BB66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LSVRQikoT1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: LSVRQikoT1.exePID: 7256, Parent PID: 3964

General

File Activities

File Opened

File Read

File Attributes Queried

Other File Operations

Windows Analysis Report
LSVRQikoT1.exe