Loading ...

Play interactive tourEdit tour

Windows Analysis Report FIa4FloXT2

Overview

General Information

Sample Name:FIa4FloXT2 (renamed file extension from none to exe)
Analysis ID:439402
MD5:fc3ff936df705f3f087c3ec1959d65d3
SHA1:260173f8753b936faa33795e2d199bc0a2217694
SHA256:a82caeb719bc400a3b75ec950f856b250aae522f5e88b147fddfd7c3aa28536c
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Performs a network lookup / discovery via ARP
Tries to detect virtualization through RDTSC time measurements
Yara detected Costura Assembly Loader
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Conhost Parent Process Executions
Too many similar processes found
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • FIa4FloXT2.exe (PID: 980 cmdline: 'C:\Users\user\Desktop\FIa4FloXT2.exe' MD5: FC3FF936DF705F3F087C3EC1959D65D3)
    • ARP.EXE (PID: 5820 cmdline: 'C:\Windows\System32\arp.exe' -a MD5: D0F33D464A967DA483BBEEFE4D9D3683)
      • conhost.exe (PID: 1536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ARP.EXE (PID: 5724 cmdline: 'C:\Windows\System32\arp.exe' -a MD5: D0F33D464A967DA483BBEEFE4D9D3683)
      • conhost.exe (PID: 5756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ARP.EXE (PID: 1148 cmdline: 'C:\Windows\System32\arp.exe' -a MD5: D0F33D464A967DA483BBEEFE4D9D3683)
      • conhost.exe (PID: 3624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ARP.EXE (PID: 5716 cmdline: 'C:\Windows\System32\arp.exe' -a MD5: D0F33D464A967DA483BBEEFE4D9D3683)
      • conhost.exe (PID: 5964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • conhost.exe (PID: 5940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • conhost.exe (PID: 5888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ARP.EXE (PID: 5652 cmdline: 'C:\Windows\System32\arp.exe' -a MD5: D0F33D464A967DA483BBEEFE4D9D3683)
      • conhost.exe (PID: 5732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ARP.EXE (PID: 3536 cmdline: 'C:\Windows\System32\arp.exe' -a MD5: D0F33D464A967DA483BBEEFE4D9D3683)
      • conhost.exe (PID: 2892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ARP.EXE (PID: 5944 cmdline: 'C:\Windows\System32\arp.exe' -a MD5: D0F33D464A967DA483BBEEFE4D9D3683)
      • conhost.exe (PID: 5656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ARP.EXE (PID: 1296 cmdline: 'C:\Windows\System32\arp.exe' -a MD5: D0F33D464A967DA483BBEEFE4D9D3683)
      • conhost.exe (PID: 5096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ARP.EXE (PID: 5964 cmdline: 'C:\Windows\System32\arp.exe' -a MD5: D0F33D464A967DA483BBEEFE4D9D3683)
    • ARP.EXE (PID: 5624 cmdline: 'C:\Windows\System32\arp.exe' -a MD5: D0F33D464A967DA483BBEEFE4D9D3683)
      • conhost.exe (PID: 5848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ARP.EXE (PID: 4328 cmdline: 'C:\Windows\System32\arp.exe' -a MD5: D0F33D464A967DA483BBEEFE4D9D3683)
      • conhost.exe (PID: 772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ARP.EXE (PID: 3532 cmdline: 'C:\Windows\System32\arp.exe' -a MD5: D0F33D464A967DA483BBEEFE4D9D3683)
      • conhost.exe (PID: 5192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • conhost.exe (PID: 5316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ARP.EXE (PID: 5488 cmdline: 'C:\Windows\System32\arp.exe' -a MD5: D0F33D464A967DA483BBEEFE4D9D3683)
      • conhost.exe (PID: 5492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ARP.EXE (PID: 5788 cmdline: 'C:\Windows\System32\arp.exe' -a MD5: D0F33D464A967DA483BBEEFE4D9D3683)
      • conhost.exe (PID: 5832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ARP.EXE (PID: 988 cmdline: 'C:\Windows\System32\arp.exe' -a MD5: D0F33D464A967DA483BBEEFE4D9D3683)
      • conhost.exe (PID: 4644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ARP.EXE (PID: 5912 cmdline: 'C:\Windows\System32\arp.exe' -a MD5: D0F33D464A967DA483BBEEFE4D9D3683)
      • conhost.exe (PID: 5608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • conhost.exe (PID: 1344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ARP.EXE (PID: 4312 cmdline: 'C:\Windows\System32\arp.exe' -a MD5: D0F33D464A967DA483BBEEFE4D9D3683)
      • conhost.exe (PID: 956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ARP.EXE (PID: 5920 cmdline: 'C:\Windows\System32\arp.exe' -a MD5: D0F33D464A967DA483BBEEFE4D9D3683)
      • conhost.exe (PID: 5928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ARP.EXE (PID: 5364 cmdline: 'C:\Windows\System32\arp.exe' -a MD5: D0F33D464A967DA483BBEEFE4D9D3683)
      • conhost.exe (PID: 5312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ARP.EXE (PID: 3532 cmdline: 'C:\Windows\System32\arp.exe' -a MD5: D0F33D464A967DA483BBEEFE4D9D3683)
    • ARP.EXE (PID: 5504 cmdline: 'C:\Windows\System32\arp.exe' -a MD5: D0F33D464A967DA483BBEEFE4D9D3683)
      • conhost.exe (PID: 5500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ARP.EXE (PID: 5036 cmdline: 'C:\Windows\System32\arp.exe' -a MD5: D0F33D464A967DA483BBEEFE4D9D3683)
      • conhost.exe (PID: 5016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ARP.EXE (PID: 5964 cmdline: 'C:\Windows\System32\arp.exe' -a MD5: D0F33D464A967DA483BBEEFE4D9D3683)
    • ARP.EXE (PID: 5608 cmdline: 'C:\Windows\System32\arp.exe' -a MD5: D0F33D464A967DA483BBEEFE4D9D3683)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.601229471.000001EE09091000.00000004.00000001.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000000.00000002.610107794.000001EE219E0000.00000004.00000001.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000000.00000002.601609293.000001EE09107000.00000004.00000001.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000000.00000002.604784993.000001EE190B1000.00000004.00000001.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.FIa4FloXT2.exe.1ee1959a438.3.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            0.2.FIa4FloXT2.exe.1ee219e0000.9.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              0.2.FIa4FloXT2.exe.1ee1959a438.3.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                0.2.FIa4FloXT2.exe.1ee219e0000.9.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                  0.2.FIa4FloXT2.exe.1ee190b1928.2.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

                    Sigma Overview

                    System Summary:

                    barindex
                    Sigma detected: Conhost Parent Process ExecutionsShow sources
                    Source: Process startedAuthor: omkar72: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 5964, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 5940

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: FIa4FloXT2.exeVirustotal: Detection: 28%Perma Link
                    Source: FIa4FloXT2.exeReversingLabs: Detection: 13%
                    Source: FIa4FloXT2.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: unknownHTTPS traffic detected: 172.67.75.124:443 -> 192.168.2.6:49719 version: TLS 1.2
                    Source: FIa4FloXT2.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                    Source: Binary string: clrjit.pdb source: FIa4FloXT2.exe, 00000000.00000002.611026355.000001EE21F30000.00000004.00000001.sdmp
                    Source: Binary string: costura.costura.pdb.compressed source: FIa4FloXT2.exe, 00000000.00000002.601229471.000001EE09091000.00000004.00000001.sdmp
                    Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|52414EC411DEA325110F0AD21378C8D101897989|2544 source: FIa4FloXT2.exe, 00000000.00000002.604784993.000001EE190B1000.00000004.00000001.sdmp
                    Source: Binary string: C:\Users\Ilham\Documents\Visual Studio 2019\Projects\Siticone.UI\Build\Release\Siticone.UI.WinForms\Siticone.UI.pdb source: FIa4FloXT2.exe, 00000000.00000002.610669296.000001EE21DA9000.00000004.00000001.sdmp
                    Source: Binary string: {3ec7b3ed-503d-4bd7-854f-32934e0d7e04}<Module>#A.#Jc.resources#A.#Kc.resources#A.#ck.resources#A.#4e.resources#A.#hf.resources#A.#Fb.resources#A.#gg.resourcesiBaseult.Properties.Resources.resources#A.#Hb.resourcescostura.costura.dll.compressedcostura.costura.pdb.compressedcostura.metroframework.design.dll.compressedcostura.metroframework.dll.compressedcostura.metroframework.fonts.dll.compressedcostura.siticone.ui.dll.compressedcostura.system.buffers.dll.compressedcostura.system.diagnostics.diagnosticsource.dll.compressedcostura.system.memory.dll.compressedcostura.system.numerics.vectors.dll.compressedcostura.system.runtime.compilerservices.unsafe.dll.compressedcostura.metadata source: FIa4FloXT2.exe, 00000000.00000002.604784993.000001EE190B1000.00000004.00000001.sdmp

                    Spreading:

                    barindex
                    Performs a network lookup / discovery via ARPShow sources
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS traffic detected: queries for: api.auth.gg
                    Source: FIa4FloXT2.exe, 00000000.00000002.600125573.000001EE0758A000.00000004.00000020.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
                    Source: FIa4FloXT2.exe, 00000000.00000002.610669296.000001EE21DA9000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
                    Source: FIa4FloXT2.exe, 00000000.00000002.610669296.000001EE21DA9000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                    Source: FIa4FloXT2.exe, 00000000.00000002.600125573.000001EE0758A000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
                    Source: FIa4FloXT2.exe, 00000000.00000002.610669296.000001EE21DA9000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
                    Source: FIa4FloXT2.exe, 00000000.00000002.610669296.000001EE21DA9000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: FIa4FloXT2.exe, 00000000.00000002.600625100.000001EE08F35000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                    Source: FIa4FloXT2.exe, 00000000.00000002.600125573.000001EE0758A000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
                    Source: FIa4FloXT2.exe, 00000000.00000002.610669296.000001EE21DA9000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
                    Source: FIa4FloXT2.exe, 00000000.00000002.610669296.000001EE21DA9000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: FIa4FloXT2.exe, 00000000.00000003.344382026.000001EE22545000.00000004.00000001.sdmpString found in binary or memory: http://en.w
                    Source: FIa4FloXT2.exe, 00000000.00000003.344348394.000001EE22545000.00000004.00000001.sdmpString found in binary or memory: http://en.wcUr
                    Source: FIa4FloXT2.exe, 00000000.00000002.604784993.000001EE190B1000.00000004.00000001.sdmpString found in binary or memory: http://gdata.youtube.com/feeds/api/videos/
                    Source: FIa4FloXT2.exe, 00000000.00000002.600125573.000001EE0758A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0
                    Source: FIa4FloXT2.exe, 00000000.00000002.600625100.000001EE08F35000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                    Source: FIa4FloXT2.exe, 00000000.00000002.610669296.000001EE21DA9000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                    Source: FIa4FloXT2.exe, 00000000.00000002.610669296.000001EE21DA9000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                    Source: FIa4FloXT2.exe, 00000000.00000002.601229471.000001EE09091000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: FIa4FloXT2.exe, 00000000.00000002.604784993.000001EE190B1000.00000004.00000001.sdmpString found in binary or memory: http://vimeo.com/api/v2/video/
                    Source: FIa4FloXT2.exe, 00000000.00000002.600125573.000001EE0758A000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com/CPS0v
                    Source: FIa4FloXT2.exe, 00000000.00000002.610669296.000001EE21DA9000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                    Source: FIa4FloXT2.exe, 00000000.00000003.344298483.000001EE22557000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: FIa4FloXT2.exe, 00000000.00000003.344298483.000001EE22557000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comIGl
                    Source: FIa4FloXT2.exe, 00000000.00000003.344298483.000001EE22557000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comLGk
                    Source: FIa4FloXT2.exe, 00000000.00000003.344298483.000001EE22557000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comT
                    Source: FIa4FloXT2.exe, 00000000.00000003.347892582.000001EE2255A000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: FIa4FloXT2.exe, 00000000.00000003.347951288.000001EE22588000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com_
                    Source: FIa4FloXT2.exe, 00000000.00000002.601229471.000001EE09091000.00000004.00000001.sdmpString found in binary or memory: https://api.auth.gg
                    Source: FIa4FloXT2.exe, 00000000.00000002.601229471.000001EE09091000.00000004.00000001.sdmpString found in binary or memory: https://api.auth.gg/csharp/8W
                    Source: FIa4FloXT2.exe, 00000000.00000002.601485559.000001EE090EA000.00000004.00000001.sdmp, FIa4FloXT2.exe, 00000000.00000002.601609293.000001EE09107000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                    Source: FIa4FloXT2.exe, 00000000.00000002.604784993.000001EE190B1000.00000004.00000001.sdmpString found in binary or memory: https://stackoverflow.com/questions/516730/what-does-the-visual-studio-any-cpu-target-mean
                    Source: FIa4FloXT2.exe, 00000000.00000002.600625100.000001EE08F35000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                    Source: FIa4FloXT2.exe, 00000000.00000002.604784993.000001EE190B1000.00000004.00000001.sdmpString found in binary or memory: https://www.siticoneframework.com/
                    Source: FIa4FloXT2.exe, 00000000.00000002.604784993.000001EE190B1000.00000004.00000001.sdmpString found in binary or memory: https://www.siticoneframework.com/pricing.htmlGSoftware
                    Source: FIa4FloXT2.exe, 00000000.00000002.601609293.000001EE09107000.00000004.00000001.sdmpString found in binary or memory: https://www.skyrant.net/SkyRant%20Patch.exe
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                    Source: unknownHTTPS traffic detected: 172.67.75.124:443 -> 192.168.2.6:49719 version: TLS 1.2
                    Source: ARP.EXEProcess created: 44
                    Source: FIa4FloXT2.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: FIa4FloXT2.exe, 00000000.00000000.327866332.000001EE072C8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameVAHTvmXiOTK.exe8 vs FIa4FloXT2.exe
                    Source: FIa4FloXT2.exe, 00000000.00000002.600502921.000001EE08F00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs FIa4FloXT2.exe
                    Source: FIa4FloXT2.exe, 00000000.00000002.609678186.000001EE21740000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs FIa4FloXT2.exe
                    Source: FIa4FloXT2.exe, 00000000.00000002.610038507.000001EE21970000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs FIa4FloXT2.exe
                    Source: FIa4FloXT2.exe, 00000000.00000002.604784993.000001EE190B1000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs FIa4FloXT2.exe
                    Source: FIa4FloXT2.exe, 00000000.00000002.610669296.000001EE21DA9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSiticone.UI.dll8 vs FIa4FloXT2.exe
                    Source: FIa4FloXT2.exe, 00000000.00000002.599962577.000001EE0752C000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs FIa4FloXT2.exe
                    Source: FIa4FloXT2.exeBinary or memory string: OriginalFilenameVAHTvmXiOTK.exe8 vs FIa4FloXT2.exe
                    Source: FIa4FloXT2.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: SiticoneDotNetRT64.dll.0.drStatic PE information: Section: .reloc IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: SiticoneDotNetRT64.dll.0.drStatic PE information: Section: .reloc IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: FIa4FloXT2.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: FIa4FloXT2.exe, u0023A/u0023kc1.csCryptographic APIs: 'CreateDecryptor'
                    Source: FIa4FloXT2.exe, u0023gi/u0023qi.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.0.FIa4FloXT2.exe.1ee07100000.0.unpack, u0023A/u0023kc1.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.0.FIa4FloXT2.exe.1ee07100000.0.unpack, u0023gi/u0023qi.csCryptographic APIs: 'TransformFinalBlock'
                    Source: FIa4FloXT2.exeBinary or memory string: z.sLn
                    Source: classification engineClassification label: mal60.spre.evad.winEXE@80/1@1/2
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5732:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:772:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5192:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5096:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5608:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5500:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5492:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2892:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5848:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5756:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4644:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1536:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1344:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5656:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5888:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5016:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5316:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5928:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3624:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5832:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:956:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5312:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5940:120:WilError_01
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeFile created: C:\Users\user\AppData\Local\Temp\32a4a32f-b10a-42fc-a699-939a32e55fe5Jump to behavior
                    Source: FIa4FloXT2.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: FIa4FloXT2.exeVirustotal: Detection: 28%
                    Source: FIa4FloXT2.exeReversingLabs: Detection: 13%
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeFile read: C:\Users\user\Desktop\FIa4FloXT2.exe:Zone.IdentifierJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\FIa4FloXT2.exe 'C:\Users\user\Desktop\FIa4FloXT2.exe'
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Windows\System32\ARP.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Windows\System32\ARP.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Windows\System32\ARP.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Windows\System32\ARP.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Windows\System32\ARP.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Windows\System32\ARP.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Windows\System32\ARP.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Windows\System32\ARP.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Windows\System32\ARP.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Windows\System32\ARP.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Windows\System32\ARP.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Windows\System32\ARP.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Windows\System32\ARP.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Windows\System32\ARP.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Windows\System32\ARP.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Windows\System32\ARP.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Windows\System32\ARP.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Windows\System32\ARP.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\ARP.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Windows\System32\ARP.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Windows\System32\ARP.EXEProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -a
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: FIa4FloXT2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: FIa4FloXT2.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: FIa4FloXT2.exeStatic file information: File size 1960448 > 1048576
                    Source: FIa4FloXT2.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1c4200
                    Source: FIa4FloXT2.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                    Source: Binary string: clrjit.pdb source: FIa4FloXT2.exe, 00000000.00000002.611026355.000001EE21F30000.00000004.00000001.sdmp
                    Source: Binary string: costura.costura.pdb.compressed source: FIa4FloXT2.exe, 00000000.00000002.601229471.000001EE09091000.00000004.00000001.sdmp
                    Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|52414EC411DEA325110F0AD21378C8D101897989|2544 source: FIa4FloXT2.exe, 00000000.00000002.604784993.000001EE190B1000.00000004.00000001.sdmp
                    Source: Binary string: C:\Users\Ilham\Documents\Visual Studio 2019\Projects\Siticone.UI\Build\Release\Siticone.UI.WinForms\Siticone.UI.pdb source: FIa4FloXT2.exe, 00000000.00000002.610669296.000001EE21DA9000.00000004.00000001.sdmp
                    Source: Binary string: {3ec7b3ed-503d-4bd7-854f-32934e0d7e04}<Module>#A.#Jc.resources#A.#Kc.resources#A.#ck.resources#A.#4e.resources#A.#hf.resources#A.#Fb.resources#A.#gg.resourcesiBaseult.Properties.Resources.resources#A.#Hb.resourcescostura.costura.dll.compressedcostura.costura.pdb.compressedcostura.metroframework.design.dll.compressedcostura.metroframework.dll.compressedcostura.metroframework.fonts.dll.compressedcostura.siticone.ui.dll.compressedcostura.system.buffers.dll.compressedcostura.system.diagnostics.diagnosticsource.dll.compressedcostura.system.memory.dll.compressedcostura.system.numerics.vectors.dll.compressedcostura.system.runtime.compilerservices.unsafe.dll.compressedcostura.metadata source: FIa4FloXT2.exe, 00000000.00000002.604784993.000001EE190B1000.00000004.00000001.sdmp

                    Data Obfuscation:

                    barindex
                    Yara detected Costura Assembly LoaderShow sources
                    Source: Yara matchFile source: 00000000.00000002.601229471.000001EE09091000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.610107794.000001EE219E0000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.601609293.000001EE09107000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.604784993.000001EE190B1000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0.2.FIa4FloXT2.exe.1ee1959a438.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.FIa4FloXT2.exe.1ee219e0000.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.FIa4FloXT2.exe.1ee1959a438.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.FIa4FloXT2.exe.1ee219e0000.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.FIa4FloXT2.exe.1ee190b1928.2.raw.unpack, type: UNPACKEDPE
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.96566625224
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeFile created: C:\Users\user\AppData\Local\Temp\32a4a32f-b10a-42fc-a699-939a32e55fe5\SiticoneDotNetRT64.dllJump to dropped file
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion:

                    barindex
                    Tries to detect virtualization through RDTSC time measurementsShow sources
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeRDTSC instruction interceptor: First address: 00007FFD69621F0F second address: 00007FFD69621F90 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec eax 0x0000000a mov dword ptr [esp+28h], eax 0x0000000e dec eax 0x0000000f mov eax, dword ptr [esp+30h] 0x00000013 dec eax 0x00000014 mov ecx, dword ptr [esp+28h] 0x00000018 dec eax 0x00000019 sub ecx, eax 0x0000001b dec eax 0x0000001c mov eax, ecx 0x0000001e dec eax 0x0000001f add esp, 48h 0x00000022 ret 0x00000023 dec eax 0x00000024 mov dword ptr [00010326h], eax 0x0000002a mov dword ptr [esp+28h], 00000000h 0x00000032 jmp 00007FB004D2DDECh 0x00000034 mov eax, dword ptr [esp+50h] 0x00000038 cmp dword ptr [esp+28h], eax 0x0000003c jnl 00007FB004D2DE24h 0x0000003e rdtsc
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeWindow / User API: threadDelayed 1737Jump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeWindow / User API: threadDelayed 2017Jump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeWindow / User API: threadDelayed 3995Jump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exe TID: 5184Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exe TID: 776Thread sleep time: -39950s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: FIa4FloXT2.exe, 00000000.00000002.609678186.000001EE21740000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                    Source: FIa4FloXT2.exe, 00000000.00000002.609678186.000001EE21740000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                    Source: FIa4FloXT2.exe, 00000000.00000002.609678186.000001EE21740000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                    Source: FIa4FloXT2.exe, 00000000.00000002.600571182.000001EE08F28000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: ARP.EXE, 00000002.00000002.334718303.0000019C8E55A000.00000004.00000020.sdmp, ARP.EXE, 00000004.00000002.349844075.000001EBECD69000.00000004.00000020.sdmp, ARP.EXE, 00000007.00000002.356738098.000002C706589000.00000004.00000020.sdmp, ARP.EXE, 00000009.00000002.370406865.00000212D5359000.00000004.00000020.sdmp, ARP.EXE, 0000000B.00000002.373209090.00000147212F6000.00000004.00000020.sdmp, ARP.EXE, 0000000F.00000002.386942796.000002571257A000.00000004.00000020.sdmp, ARP.EXE, 00000011.00000002.389634943.000001CA54A89000.00000004.00000020.sdmp, ARP.EXE, 00000014.00000002.404200845.000002548FFFA000.00000004.00000020.sdmp, ARP.EXE, 00000016.00000002.407074312.000001EC6A0D9000.00000004.00000020.sdmp, ARP.EXE, 0000001B.00000002.422057259.000002017D137000.00000004.00000020.sdmp, ARP.EXE, 0000001F.00000002.425223925.00000219CD8CA000.00000004.00000020.sdmp, ARP.EXE, 00000021.00000002.441194467.00000213312A9000.00000004.00000020.sdmp, ARP.EXE, 00000023.00000002.444422595.000001EC670B9000.00000004.00000020.sdmp, ARP.EXE, 00000026.00000002.458304598.000001676F699000.00000004.00000020.sdmp, ARP.EXE, 00000028.00000002.460926636.000001A587F89000.00000004.00000020.sdmp, ARP.EXE, 0000002A.00000002.475353174.000002AD38979000.00000004.00000020.sdmp, ARP.EXE, 0000002C.00000002.480482821.000001C0088E9000.00000004.00000020.sdmp, ARP.EXE, 0000002E.00000002.493726851.000001A3476D9000.00000004.00000020.sdmp, ARP.EXE, 00000030.00000002.496522763.0000025C4353A000.00000004.00000020.sdmp, ARP.EXE, 00000032.00000002.509869624.000002636CB0A000.00000004.00000020.sdmp, ARP.EXE, 00000034.00000002.512534509.00000229FD649000.00000004.00000020.sdmp, ARP.EXE, 00000038.00000002.526800208.0000022EB0A69000.00000004.00000020.sdmp, ARP.EXE, 0000003B.00000002.530411290.000001D9F8269000.00000004.00000020.sdmp, ARP.EXE, 0000003E.00000002.543993161.00000214F5549000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: FIa4FloXT2.exe, 00000000.00000002.609678186.000001EE21740000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: C:\Windows\System32\ARP.EXE 'C:\Windows\System32\arp.exe' -aJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: unknown unknownJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeProcess created: unknown unknownJump to behavior
                    Source: FIa4FloXT2.exe, 00000000.00000002.600326634.000001EE079B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                    Source: FIa4FloXT2.exe, 00000000.00000002.600326634.000001EE079B0000.00000002.00000001.sdmpBinary or memory string: Progman
                    Source: FIa4FloXT2.exe, 00000000.00000002.600326634.000001EE079B0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
                    Source: FIa4FloXT2.exe, 00000000.00000002.600326634.000001EE079B0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Users\user\Desktop\FIa4FloXT2.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FIa4FloXT2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Disable or Modify Tools1OS Credential DumpingSecurity Software Discovery11Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion21LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing2Cached Domain CredentialsSystem Network Configuration Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery112Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 439402 Sample: FIa4FloXT2 Startdate: 24/06/2021 Architecture: WINDOWS Score: 60 50 Multi AV Scanner detection for submitted file 2->50 52 Yara detected Costura Assembly Loader 2->52 8 FIa4FloXT2.exe 14 4 2->8         started        process3 dnsIp4 46 api.auth.gg 172.67.75.124, 443, 49719 CLOUDFLARENETUS United States 8->46 44 C:\Users\user\...\SiticoneDotNetRT64.dll, PE32+ 8->44 dropped 54 Tries to detect virtualization through RDTSC time measurements 8->54 56 Performs a network lookup / discovery via ARP 8->56 13 ARP.EXE 1 8->13         started        15 ARP.EXE 1 8->15         started        18 ARP.EXE 8->18         started        20 21 other processes 8->20 file5 signatures6 process7 dnsIp8 22 conhost.exe 13->22         started        48 192.168.2.1 unknown unknown 15->48 24 conhost.exe 15->24         started        26 conhost.exe 18->26         started        28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        32 conhost.exe 20->32         started        34 conhost.exe 20->34         started        36 14 other processes 20->36 process9 process10 38 conhost.exe 22->38         started        40 conhost.exe 22->40         started        42 conhost.exe 30->42         started       

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    FIa4FloXT2.exe29%VirustotalBrowse
                    FIa4FloXT2.exe13%ReversingLabsWin32.Trojan.Generic

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\32a4a32f-b10a-42fc-a699-939a32e55fe5\SiticoneDotNetRT64.dll3%MetadefenderBrowse
                    C:\Users\user\AppData\Local\Temp\32a4a32f-b10a-42fc-a699-939a32e55fe5\SiticoneDotNetRT64.dll7%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    api.auth.gg0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.sajatypeworks.comIGl0%Avira URL Cloudsafe
                    http://www.sajatypeworks.comT0%Avira URL Cloudsafe
                    http://en.wcUr0%Avira URL Cloudsafe
                    http://www.sajatypeworks.comLGk0%Avira URL Cloudsafe
                    https://www.skyrant.net/SkyRant%20Patch.exe0%Avira URL Cloudsafe
                    http://www.sakkal.com_0%Avira URL Cloudsafe
                    https://www.siticoneframework.com/0%Avira URL Cloudsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    https://www.siticoneframework.com/pricing.htmlGSoftware0%Avira URL Cloudsafe
                    http://en.w0%URL Reputationsafe
                    http://en.w0%URL Reputationsafe
                    http://en.w0%URL Reputationsafe
                    https://api.auth.gg0%Avira URL Cloudsafe
                    https://api.auth.gg/csharp/8W0%Avira URL Cloudsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    api.auth.gg
                    172.67.75.124
                    truefalseunknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://vimeo.com/api/v2/video/FIa4FloXT2.exe, 00000000.00000002.604784993.000001EE190B1000.00000004.00000001.sdmpfalse
                      high
                      http://www.sajatypeworks.comIGlFIa4FloXT2.exe, 00000000.00000003.344298483.000001EE22557000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.sajatypeworks.comTFIa4FloXT2.exe, 00000000.00000003.344298483.000001EE22557000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://en.wcUrFIa4FloXT2.exe, 00000000.00000003.344348394.000001EE22545000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://www.sajatypeworks.comLGkFIa4FloXT2.exe, 00000000.00000003.344298483.000001EE22557000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://www.skyrant.net/SkyRant%20Patch.exeFIa4FloXT2.exe, 00000000.00000002.601609293.000001EE09107000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://gdata.youtube.com/feeds/api/videos/FIa4FloXT2.exe, 00000000.00000002.604784993.000001EE190B1000.00000004.00000001.sdmpfalse
                        high
                        http://www.sakkal.com_FIa4FloXT2.exe, 00000000.00000003.347951288.000001EE22588000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        low
                        https://www.siticoneframework.com/FIa4FloXT2.exe, 00000000.00000002.604784993.000001EE190B1000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameFIa4FloXT2.exe, 00000000.00000002.601229471.000001EE09091000.00000004.00000001.sdmpfalse
                          high
                          http://www.sakkal.comFIa4FloXT2.exe, 00000000.00000003.347892582.000001EE2255A000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          unknown
                          https://stackoverflow.com/questions/516730/what-does-the-visual-studio-any-cpu-target-meanFIa4FloXT2.exe, 00000000.00000002.604784993.000001EE190B1000.00000004.00000001.sdmpfalse
                            high
                            https://www.siticoneframework.com/pricing.htmlGSoftwareFIa4FloXT2.exe, 00000000.00000002.604784993.000001EE190B1000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://en.wFIa4FloXT2.exe, 00000000.00000003.344382026.000001EE22545000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            https://api.auth.ggFIa4FloXT2.exe, 00000000.00000002.601229471.000001EE09091000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            https://api.auth.gg/csharp/8WFIa4FloXT2.exe, 00000000.00000002.601229471.000001EE09091000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.sajatypeworks.comFIa4FloXT2.exe, 00000000.00000003.344298483.000001EE22557000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            172.67.75.124
                            api.auth.ggUnited States
                            13335CLOUDFLARENETUSfalse

                            Private

                            IP
                            192.168.2.1

                            General Information

                            Joe Sandbox Version:32.0.0 Black Diamond
                            Analysis ID:439402
                            Start date:24.06.2021
                            Start time:02:40:38
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 10m 42s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Sample file name:FIa4FloXT2 (renamed file extension from none to exe)
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:65
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal60.spre.evad.winEXE@80/1@1/2
                            EGA Information:Failed
                            HDC Information:
                            • Successful, ratio: 34.1% (good quality ratio 17.1%)
                            • Quality average: 36.5%
                            • Quality standard deviation: 40.4%
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            Warnings:
                            Show All
                            • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                            • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 104.43.193.48, 52.255.188.83, 20.82.209.183, 20.54.104.15, 20.54.7.98, 40.112.88.60, 173.222.108.226, 173.222.108.210, 80.67.82.235, 80.67.82.211, 23.211.4.86, 20.50.102.62
                            • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtDeviceIoControlFile calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            No context

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            api.auth.ggEv3resFlexer_p_.exeGet hashmaliciousBrowse
                            • 104.26.14.127
                            Monarchy-0.8.exeGet hashmaliciousBrowse
                            • 104.21.34.240
                            Ev3_p_.exeGet hashmaliciousBrowse
                            • 172.67.166.87
                            keys.exeGet hashmaliciousBrowse
                            • 172.67.188.12
                            Ninja_Project.exeGet hashmaliciousBrowse
                            • 104.31.70.150

                            ASN

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            CLOUDFLARENETUSexY0P4mpOx.exeGet hashmaliciousBrowse
                            • 104.21.46.30
                            d3FYSfRPh1.exeGet hashmaliciousBrowse
                            • 172.67.201.250
                            PGqRa7R362.exeGet hashmaliciousBrowse
                            • 162.159.135.233
                            R5mwstJ6jJ.exeGet hashmaliciousBrowse
                            • 172.67.206.104
                            r0Kqo0SlWF.exeGet hashmaliciousBrowse
                            • 162.159.138.232
                            M7II8HTb0A.dllGet hashmaliciousBrowse
                            • 104.20.185.68
                            HcNhPqmtx1.exeGet hashmaliciousBrowse
                            • 104.21.14.60
                            xwKdahKPn8.exeGet hashmaliciousBrowse
                            • 172.67.135.146
                            ixM2MPZDhf.exeGet hashmaliciousBrowse
                            • 104.23.99.190
                            m2jCdKcFHA.exeGet hashmaliciousBrowse
                            • 162.159.134.233
                            qmaBmtzfF7.exeGet hashmaliciousBrowse
                            • 162.159.129.233
                            hWA5p04FsO.exeGet hashmaliciousBrowse
                            • 172.67.193.180
                            yevbZfdCqR.exeGet hashmaliciousBrowse
                            • 162.159.134.233
                            wriMUOqna3.exeGet hashmaliciousBrowse
                            • 162.159.134.233
                            8Nrl1bUmnu.exeGet hashmaliciousBrowse
                            • 104.21.14.60
                            SecuriteInfo.com.W32.AIDetect.malware2.16955.exeGet hashmaliciousBrowse
                            • 172.67.131.148
                            K46lIjFknE.exeGet hashmaliciousBrowse
                            • 172.67.38.66
                            iUyzvEVVxL.msiGet hashmaliciousBrowse
                            • 104.23.98.190
                            lhjBWKh0W3.exeGet hashmaliciousBrowse
                            • 172.67.206.104
                            XqnM8G36Ih.exeGet hashmaliciousBrowse
                            • 104.22.25.116

                            JA3 Fingerprints

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            3b5074b1b5d032e5620f69f9f700ff0eBwtk6ejjS3.exeGet hashmaliciousBrowse
                            • 172.67.75.124
                            PGqRa7R362.exeGet hashmaliciousBrowse
                            • 172.67.75.124
                            r0Kqo0SlWF.exeGet hashmaliciousBrowse
                            • 172.67.75.124
                            qmaBmtzfF7.exeGet hashmaliciousBrowse
                            • 172.67.75.124
                            wriMUOqna3.exeGet hashmaliciousBrowse
                            • 172.67.75.124
                            PO 6339065.xlsbGet hashmaliciousBrowse
                            • 172.67.75.124
                            ww9bGQQ4ur.exeGet hashmaliciousBrowse
                            • 172.67.75.124
                            g6yzl1NROz6FgZi.exeGet hashmaliciousBrowse
                            • 172.67.75.124
                            KCqjqClweR.exeGet hashmaliciousBrowse
                            • 172.67.75.124
                            ZRhXMelo3S.exeGet hashmaliciousBrowse
                            • 172.67.75.124
                            vape_all_versions.zip.exeGet hashmaliciousBrowse
                            • 172.67.75.124
                            o2VoxS1Hs4.exeGet hashmaliciousBrowse
                            • 172.67.75.124
                            tOXxOY3ZHv.exeGet hashmaliciousBrowse
                            • 172.67.75.124
                            lhj244LrcL.exeGet hashmaliciousBrowse
                            • 172.67.75.124
                            dhz7CHgHBx.exeGet hashmaliciousBrowse
                            • 172.67.75.124
                            JB3aOL8aju.exeGet hashmaliciousBrowse
                            • 172.67.75.124
                            sn0tLxzBt2.exeGet hashmaliciousBrowse
                            • 172.67.75.124
                            HhTt1DrzuK.exeGet hashmaliciousBrowse
                            • 172.67.75.124
                            HRXoZLG4ym.exeGet hashmaliciousBrowse
                            • 172.67.75.124
                            script_hack_412.zip.exeGet hashmaliciousBrowse
                            • 172.67.75.124

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Temp\32a4a32f-b10a-42fc-a699-939a32e55fe5\SiticoneDotNetRT64.dll
                            Process:C:\Users\user\Desktop\FIa4FloXT2.exe
                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):146414
                            Entropy (8bit):6.346082537918833
                            Encrypted:false
                            SSDEEP:3072:tvfStxRL/l1JLnPynOuA7tuPkVg4qm5a4:ZKFJdvhqm5/
                            MD5:9C43F77CB7CFF27CB47ED67BABE3EDA5
                            SHA1:B0400CF68249369D21DE86BD26BB84CCFFD47C43
                            SHA-256:F25B9288FE370DCFCB4823FB4E44AB88C7F5FCE6E137D0DBA389A3DBA07D621E
                            SHA-512:CDE6FB6CF8DB6F9746E69E6C10214E60B3646700D70B49668A2A792E309714DD2D4C5A5241977A833A95FCDE8318ABCC89EB9968A5039A0B75726BBFA27125A7
                            Malicious:false
                            Antivirus:
                            • Antivirus: Metadefender, Detection: 3%, Browse
                            • Antivirus: ReversingLabs, Detection: 7%
                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t...0..J0..J0..J_.&J3..J9..J;..J0..Jf..J_..J1..J+,.J1..J+,&J(..J+,.J1..J+,.J1..J+,.J1..JRich0..J........................PE..d......Y.........." .........0...............................................p......8&....@.............................................s.......x....@.......0...............P..................................................................`....................text...1........................... ..`.rdata..c...........................@..@.data...X.... ......................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......P....... ..............`...........................................................................................................................................................................................................................................................

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.869214321062104
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                            • Win32 Executable (generic) a (10002005/4) 49.78%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            • DOS Executable Generic (2002/1) 0.01%
                            File name:FIa4FloXT2.exe
                            File size:1960448
                            MD5:fc3ff936df705f3f087c3ec1959d65d3
                            SHA1:260173f8753b936faa33795e2d199bc0a2217694
                            SHA256:a82caeb719bc400a3b75ec950f856b250aae522f5e88b147fddfd7c3aa28536c
                            SHA512:043f6db4298a2dfb429e5c7e9d5ed5f4cb1c18a92d13f4480a5e2138d77660371d012aefb7be089838431223b67c3625bdf56a3ff48d2674d43e800ad3b9a154
                            SSDEEP:49152:WfQ54eh9Kptz4S0ibZgnYsjjCqUVr4wAb:naxpT0LYsnCqUd
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."&.`.................B...........`... ........@.. .......................`............`................................

                            File Icon

                            Icon Hash:e89247cc2babd6e8

                            Static PE Info

                            General

                            Entrypoint:0x5c60ee
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                            Time Stamp:0x60CD2622 [Fri Jun 18 23:02:58 2021 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:v4.0.30319
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x1c60a40x4a.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1c80000x1a2bc.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1e40000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000x1c40f40x1c4200False0.95847408937data7.96566625224IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            .rsrc0x1c80000x1a2bc0x1a400False0.130152529762data3.13521784154IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x1e40000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountry
                            RT_ICON0x1c80940x1617PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                            RT_ICON0x1c96cf0x10828dBase III DBT, version number 0, next free block index 40
                            RT_ICON0x1d9f1b0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                            RT_ICON0x1de1670x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                            RT_ICON0x1e07330x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                            RT_ICON0x1e17ff0x468GLS_BINARY_LSB_FIRST
                            RT_GROUP_ICON0x1e1ca30x5adata
                            RT_VERSION0x1e1d390x368data
                            RT_MANIFEST0x1e20dd0x1dfXML 1.0 document, UTF-8 Unicode (with BOM) text

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jun 24, 2021 02:41:33.451020002 CEST49719443192.168.2.6172.67.75.124
                            Jun 24, 2021 02:41:33.490349054 CEST44349719172.67.75.124192.168.2.6
                            Jun 24, 2021 02:41:33.490434885 CEST49719443192.168.2.6172.67.75.124
                            Jun 24, 2021 02:41:33.549571037 CEST49719443192.168.2.6172.67.75.124
                            Jun 24, 2021 02:41:33.589684010 CEST44349719172.67.75.124192.168.2.6
                            Jun 24, 2021 02:41:33.590761900 CEST44349719172.67.75.124192.168.2.6
                            Jun 24, 2021 02:41:33.590785980 CEST44349719172.67.75.124192.168.2.6
                            Jun 24, 2021 02:41:33.590846062 CEST49719443192.168.2.6172.67.75.124
                            Jun 24, 2021 02:41:33.600474119 CEST49719443192.168.2.6172.67.75.124
                            Jun 24, 2021 02:41:33.638767004 CEST44349719172.67.75.124192.168.2.6
                            Jun 24, 2021 02:41:33.638787985 CEST44349719172.67.75.124192.168.2.6
                            Jun 24, 2021 02:41:33.692938089 CEST49719443192.168.2.6172.67.75.124
                            Jun 24, 2021 02:41:33.720041990 CEST49719443192.168.2.6172.67.75.124
                            Jun 24, 2021 02:41:33.759293079 CEST44349719172.67.75.124192.168.2.6
                            Jun 24, 2021 02:41:33.759315014 CEST44349719172.67.75.124192.168.2.6
                            Jun 24, 2021 02:41:33.760752916 CEST49719443192.168.2.6172.67.75.124
                            Jun 24, 2021 02:41:33.840401888 CEST44349719172.67.75.124192.168.2.6
                            Jun 24, 2021 02:41:34.020776987 CEST44349719172.67.75.124192.168.2.6
                            Jun 24, 2021 02:41:34.020804882 CEST44349719172.67.75.124192.168.2.6
                            Jun 24, 2021 02:41:34.021033049 CEST49719443192.168.2.6172.67.75.124
                            Jun 24, 2021 02:43:14.201963902 CEST49719443192.168.2.6172.67.75.124
                            Jun 24, 2021 02:43:14.242963076 CEST44349719172.67.75.124192.168.2.6
                            Jun 24, 2021 02:43:14.245176077 CEST49719443192.168.2.6172.67.75.124

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jun 24, 2021 02:41:20.899362087 CEST6426753192.168.2.68.8.8.8
                            Jun 24, 2021 02:41:20.929797888 CEST4944853192.168.2.68.8.8.8
                            Jun 24, 2021 02:41:20.962954998 CEST53642678.8.8.8192.168.2.6
                            Jun 24, 2021 02:41:20.976382017 CEST53494488.8.8.8192.168.2.6
                            Jun 24, 2021 02:41:21.834662914 CEST6034253192.168.2.68.8.8.8
                            Jun 24, 2021 02:41:21.890309095 CEST53603428.8.8.8192.168.2.6
                            Jun 24, 2021 02:41:22.727149963 CEST6134653192.168.2.68.8.8.8
                            Jun 24, 2021 02:41:22.775871992 CEST53613468.8.8.8192.168.2.6
                            Jun 24, 2021 02:41:24.886495113 CEST5177453192.168.2.68.8.8.8
                            Jun 24, 2021 02:41:24.933026075 CEST53517748.8.8.8192.168.2.6
                            Jun 24, 2021 02:41:25.869061947 CEST5602353192.168.2.68.8.8.8
                            Jun 24, 2021 02:41:25.924391031 CEST53560238.8.8.8192.168.2.6
                            Jun 24, 2021 02:41:26.654988050 CEST5838453192.168.2.68.8.8.8
                            Jun 24, 2021 02:41:26.713013887 CEST53583848.8.8.8192.168.2.6
                            Jun 24, 2021 02:41:27.745893955 CEST6026153192.168.2.68.8.8.8
                            Jun 24, 2021 02:41:27.803222895 CEST53602618.8.8.8192.168.2.6
                            Jun 24, 2021 02:41:28.696233034 CEST5606153192.168.2.68.8.8.8
                            Jun 24, 2021 02:41:28.753582954 CEST53560618.8.8.8192.168.2.6
                            Jun 24, 2021 02:41:29.948446989 CEST5833653192.168.2.68.8.8.8
                            Jun 24, 2021 02:41:29.995743990 CEST53583368.8.8.8192.168.2.6
                            Jun 24, 2021 02:41:30.939430952 CEST5378153192.168.2.68.8.8.8
                            Jun 24, 2021 02:41:30.990000963 CEST53537818.8.8.8192.168.2.6
                            Jun 24, 2021 02:41:31.746280909 CEST5406453192.168.2.68.8.8.8
                            Jun 24, 2021 02:41:31.793806076 CEST53540648.8.8.8192.168.2.6
                            Jun 24, 2021 02:41:32.524905920 CEST5281153192.168.2.68.8.8.8
                            Jun 24, 2021 02:41:32.577461004 CEST53528118.8.8.8192.168.2.6
                            Jun 24, 2021 02:41:33.367937088 CEST5529953192.168.2.68.8.8.8
                            Jun 24, 2021 02:41:33.419544935 CEST6374553192.168.2.68.8.8.8
                            Jun 24, 2021 02:41:33.431637049 CEST53552998.8.8.8192.168.2.6
                            Jun 24, 2021 02:41:33.479214907 CEST53637458.8.8.8192.168.2.6
                            Jun 24, 2021 02:41:34.387495995 CEST5005553192.168.2.68.8.8.8
                            Jun 24, 2021 02:41:34.442169905 CEST53500558.8.8.8192.168.2.6
                            Jun 24, 2021 02:41:35.434582949 CEST6137453192.168.2.68.8.8.8
                            Jun 24, 2021 02:41:35.484483957 CEST53613748.8.8.8192.168.2.6
                            Jun 24, 2021 02:41:36.365865946 CEST5033953192.168.2.68.8.8.8
                            Jun 24, 2021 02:41:36.415067911 CEST53503398.8.8.8192.168.2.6
                            Jun 24, 2021 02:41:37.278311014 CEST6330753192.168.2.68.8.8.8
                            Jun 24, 2021 02:41:37.324343920 CEST53633078.8.8.8192.168.2.6
                            Jun 24, 2021 02:41:38.369978905 CEST4969453192.168.2.68.8.8.8
                            Jun 24, 2021 02:41:38.428312063 CEST53496948.8.8.8192.168.2.6
                            Jun 24, 2021 02:41:53.159904957 CEST5498253192.168.2.68.8.8.8
                            Jun 24, 2021 02:41:53.231611967 CEST53549828.8.8.8192.168.2.6
                            Jun 24, 2021 02:42:13.515556097 CEST5001053192.168.2.68.8.8.8
                            Jun 24, 2021 02:42:13.650875092 CEST53500108.8.8.8192.168.2.6
                            Jun 24, 2021 02:42:14.319166899 CEST6371853192.168.2.68.8.8.8
                            Jun 24, 2021 02:42:14.380388021 CEST53637188.8.8.8192.168.2.6
                            Jun 24, 2021 02:42:15.012892962 CEST6211653192.168.2.68.8.8.8
                            Jun 24, 2021 02:42:15.071167946 CEST53621168.8.8.8192.168.2.6
                            Jun 24, 2021 02:42:15.532649994 CEST6381653192.168.2.68.8.8.8
                            Jun 24, 2021 02:42:15.596148968 CEST53638168.8.8.8192.168.2.6
                            Jun 24, 2021 02:42:15.654462099 CEST5501453192.168.2.68.8.8.8
                            Jun 24, 2021 02:42:15.718343973 CEST53550148.8.8.8192.168.2.6
                            Jun 24, 2021 02:42:16.104439974 CEST6220853192.168.2.68.8.8.8
                            Jun 24, 2021 02:42:16.160885096 CEST53622088.8.8.8192.168.2.6
                            Jun 24, 2021 02:42:16.207530022 CEST5757453192.168.2.68.8.8.8
                            Jun 24, 2021 02:42:16.255208969 CEST53575748.8.8.8192.168.2.6
                            Jun 24, 2021 02:42:16.869541883 CEST5181853192.168.2.68.8.8.8
                            Jun 24, 2021 02:42:16.924186945 CEST53518188.8.8.8192.168.2.6
                            Jun 24, 2021 02:42:17.402343035 CEST5662853192.168.2.68.8.8.8
                            Jun 24, 2021 02:42:17.449376106 CEST53566288.8.8.8192.168.2.6
                            Jun 24, 2021 02:42:18.269949913 CEST6077853192.168.2.68.8.8.8
                            Jun 24, 2021 02:42:18.317893982 CEST53607788.8.8.8192.168.2.6
                            Jun 24, 2021 02:42:19.244786978 CEST5379953192.168.2.68.8.8.8
                            Jun 24, 2021 02:42:19.297305107 CEST53537998.8.8.8192.168.2.6
                            Jun 24, 2021 02:42:20.027053118 CEST5468353192.168.2.68.8.8.8
                            Jun 24, 2021 02:42:20.090380907 CEST53546838.8.8.8192.168.2.6
                            Jun 24, 2021 02:42:31.114869118 CEST5932953192.168.2.68.8.8.8
                            Jun 24, 2021 02:42:31.170279980 CEST53593298.8.8.8192.168.2.6
                            Jun 24, 2021 02:43:01.256450891 CEST6402153192.168.2.68.8.8.8
                            Jun 24, 2021 02:43:01.313138008 CEST53640218.8.8.8192.168.2.6
                            Jun 24, 2021 02:43:01.788259983 CEST5612953192.168.2.68.8.8.8
                            Jun 24, 2021 02:43:01.854778051 CEST53561298.8.8.8192.168.2.6
                            Jun 24, 2021 02:43:03.414365053 CEST5817753192.168.2.68.8.8.8
                            Jun 24, 2021 02:43:03.472585917 CEST53581778.8.8.8192.168.2.6

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                            Jun 24, 2021 02:41:33.367937088 CEST192.168.2.68.8.8.80x92bStandard query (0)api.auth.ggA (IP address)IN (0x0001)

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                            Jun 24, 2021 02:41:33.431637049 CEST8.8.8.8192.168.2.60x92bNo error (0)api.auth.gg172.67.75.124A (IP address)IN (0x0001)
                            Jun 24, 2021 02:41:33.431637049 CEST8.8.8.8192.168.2.60x92bNo error (0)api.auth.gg104.26.14.127A (IP address)IN (0x0001)
                            Jun 24, 2021 02:41:33.431637049 CEST8.8.8.8192.168.2.60x92bNo error (0)api.auth.gg104.26.15.127A (IP address)IN (0x0001)

                            HTTPS Packets

                            TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                            Jun 24, 2021 02:41:33.590785980 CEST172.67.75.124443192.168.2.649719CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEFri Jun 11 02:00:00 CEST 2021 Mon Jan 27 13:48:08 CET 2020Sat Jun 11 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2025771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                            CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025

                            Code Manipulations

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Start time:02:41:28
                            Start date:24/06/2021
                            Path:C:\Users\user\Desktop\FIa4FloXT2.exe
                            Wow64 process (32bit):false
                            Commandline:'C:\Users\user\Desktop\FIa4FloXT2.exe'
                            Imagebase:0x1ee07100000
                            File size:1960448 bytes
                            MD5 hash:FC3FF936DF705F3F087C3EC1959D65D3
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.601229471.000001EE09091000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.610107794.000001EE219E0000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.601609293.000001EE09107000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.604784993.000001EE190B1000.00000004.00000001.sdmp, Author: Joe Security
                            Reputation:low

                            General

                            Start time:02:41:31
                            Start date:24/06/2021
                            Path:C:\Windows\System32\ARP.EXE
                            Wow64 process (32bit):false
                            Commandline:'C:\Windows\System32\arp.exe' -a
                            Imagebase:0x7ff7433a0000
                            File size:25600 bytes
                            MD5 hash:D0F33D464A967DA483BBEEFE4D9D3683
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate

                            General

                            Start time:02:41:31
                            Start date:24/06/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff61de10000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Start time:02:41:38
                            Start date:24/06/2021
                            Path:C:\Windows\System32\ARP.EXE
                            Wow64 process (32bit):false
                            Commandline:'C:\Windows\System32\arp.exe' -a
                            Imagebase:0x7ff7433a0000
                            File size:25600 bytes
                            MD5 hash:D0F33D464A967DA483BBEEFE4D9D3683
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate

                            General

                            Start time:02:41:38
                            Start date:24/06/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff61de10000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Start time:02:41:41
                            Start date:24/06/2021
                            Path:C:\Windows\System32\ARP.EXE
                            Wow64 process (32bit):false
                            Commandline:'C:\Windows\System32\arp.exe' -a
                            Imagebase:0x7ff7433a0000
                            File size:25600 bytes
                            MD5 hash:D0F33D464A967DA483BBEEFE4D9D3683
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate

                            General

                            Start time:02:41:41
                            Start date:24/06/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff61de10000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Start time:02:41:47
                            Start date:24/06/2021
                            Path:C:\Windows\System32\ARP.EXE
                            Wow64 process (32bit):false
                            Commandline:'C:\Windows\System32\arp.exe' -a
                            Imagebase:0x7ff7433a0000
                            File size:25600 bytes
                            MD5 hash:D0F33D464A967DA483BBEEFE4D9D3683
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate

                            General

                            Start time:02:41:48
                            Start date:24/06/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff61de10000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Start time:02:41:49
                            Start date:24/06/2021
                            Path:C:\Windows\System32\ARP.EXE
                            Wow64 process (32bit):false
                            Commandline:'C:\Windows\System32\arp.exe' -a
                            Imagebase:0x7ff7ae910000
                            File size:25600 bytes
                            MD5 hash:D0F33D464A967DA483BBEEFE4D9D3683
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate

                            General

                            Start time:02:41:49
                            Start date:24/06/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff61de10000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:41:55
                            Start date:24/06/2021
                            Path:C:\Windows\System32\ARP.EXE
                            Wow64 process (32bit):false
                            Commandline:'C:\Windows\System32\arp.exe' -a
                            Imagebase:0x7ff7433a0000
                            File size:25600 bytes
                            MD5 hash:D0F33D464A967DA483BBEEFE4D9D3683
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:41:56
                            Start date:24/06/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff61de10000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:41:56
                            Start date:24/06/2021
                            Path:C:\Windows\System32\ARP.EXE
                            Wow64 process (32bit):false
                            Commandline:'C:\Windows\System32\arp.exe' -a
                            Imagebase:0x7ff7433a0000
                            File size:25600 bytes
                            MD5 hash:D0F33D464A967DA483BBEEFE4D9D3683
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:41:57
                            Start date:24/06/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff61de10000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:42:03
                            Start date:24/06/2021
                            Path:C:\Windows\System32\ARP.EXE
                            Wow64 process (32bit):false
                            Commandline:'C:\Windows\System32\arp.exe' -a
                            Imagebase:0x7ff7433a0000
                            File size:25600 bytes
                            MD5 hash:D0F33D464A967DA483BBEEFE4D9D3683
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:42:04
                            Start date:24/06/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff61de10000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:42:04
                            Start date:24/06/2021
                            Path:C:\Windows\System32\ARP.EXE
                            Wow64 process (32bit):false
                            Commandline:'C:\Windows\System32\arp.exe' -a
                            Imagebase:0x7ff7433a0000
                            File size:25600 bytes
                            MD5 hash:D0F33D464A967DA483BBEEFE4D9D3683
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:42:05
                            Start date:24/06/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff61de10000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:42:11
                            Start date:24/06/2021
                            Path:C:\Windows\System32\ARP.EXE
                            Wow64 process (32bit):false
                            Commandline:'C:\Windows\System32\arp.exe' -a
                            Imagebase:0x7ff7433a0000
                            File size:25600 bytes
                            MD5 hash:D0F33D464A967DA483BBEEFE4D9D3683
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:42:12
                            Start date:24/06/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff61de10000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:42:13
                            Start date:24/06/2021
                            Path:C:\Windows\System32\ARP.EXE
                            Wow64 process (32bit):false
                            Commandline:'C:\Windows\System32\arp.exe' -a
                            Imagebase:0x7ff7433a0000
                            File size:25600 bytes
                            MD5 hash:D0F33D464A967DA483BBEEFE4D9D3683
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:42:13
                            Start date:24/06/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff61de10000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:42:19
                            Start date:24/06/2021
                            Path:C:\Windows\System32\ARP.EXE
                            Wow64 process (32bit):false
                            Commandline:'C:\Windows\System32\arp.exe' -a
                            Imagebase:0x7ff7433a0000
                            File size:25600 bytes
                            MD5 hash:D0F33D464A967DA483BBEEFE4D9D3683
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:42:20
                            Start date:24/06/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff61de10000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:42:22
                            Start date:24/06/2021
                            Path:C:\Windows\System32\ARP.EXE
                            Wow64 process (32bit):false
                            Commandline:'C:\Windows\System32\arp.exe' -a
                            Imagebase:0x7ff7433a0000
                            File size:25600 bytes
                            MD5 hash:D0F33D464A967DA483BBEEFE4D9D3683
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:42:22
                            Start date:24/06/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff61de10000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:42:28
                            Start date:24/06/2021
                            Path:C:\Windows\System32\ARP.EXE
                            Wow64 process (32bit):false
                            Commandline:'C:\Windows\System32\arp.exe' -a
                            Imagebase:0x7ff7433a0000
                            File size:25600 bytes
                            MD5 hash:D0F33D464A967DA483BBEEFE4D9D3683
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:42:29
                            Start date:24/06/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff61de10000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:42:30
                            Start date:24/06/2021
                            Path:C:\Windows\System32\ARP.EXE
                            Wow64 process (32bit):false
                            Commandline:'C:\Windows\System32\arp.exe' -a
                            Imagebase:0x7ff7433a0000
                            File size:25600 bytes
                            MD5 hash:D0F33D464A967DA483BBEEFE4D9D3683
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:42:30
                            Start date:24/06/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff61de10000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:42:36
                            Start date:24/06/2021
                            Path:C:\Windows\System32\ARP.EXE
                            Wow64 process (32bit):false
                            Commandline:'C:\Windows\System32\arp.exe' -a
                            Imagebase:0x7ff7433a0000
                            File size:25600 bytes
                            MD5 hash:D0F33D464A967DA483BBEEFE4D9D3683
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:42:36
                            Start date:24/06/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff61de10000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:42:38
                            Start date:24/06/2021
                            Path:C:\Windows\System32\ARP.EXE
                            Wow64 process (32bit):false
                            Commandline:'C:\Windows\System32\arp.exe' -a
                            Imagebase:0x7ff7433a0000
                            File size:25600 bytes
                            MD5 hash:D0F33D464A967DA483BBEEFE4D9D3683
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:42:38
                            Start date:24/06/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff61de10000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:42:45
                            Start date:24/06/2021
                            Path:C:\Windows\System32\ARP.EXE
                            Wow64 process (32bit):false
                            Commandline:'C:\Windows\System32\arp.exe' -a
                            Imagebase:0x7ff7433a0000
                            File size:25600 bytes
                            MD5 hash:D0F33D464A967DA483BBEEFE4D9D3683
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:42:45
                            Start date:24/06/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff61de10000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:42:46
                            Start date:24/06/2021
                            Path:C:\Windows\System32\ARP.EXE
                            Wow64 process (32bit):false
                            Commandline:'C:\Windows\System32\arp.exe' -a
                            Imagebase:0x7ff7433a0000
                            File size:25600 bytes
                            MD5 hash:D0F33D464A967DA483BBEEFE4D9D3683
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:42:47
                            Start date:24/06/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff61de10000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:42:52
                            Start date:24/06/2021
                            Path:C:\Windows\System32\ARP.EXE
                            Wow64 process (32bit):false
                            Commandline:'C:\Windows\System32\arp.exe' -a
                            Imagebase:0x7ff7433a0000
                            File size:25600 bytes
                            MD5 hash:D0F33D464A967DA483BBEEFE4D9D3683
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:42:53
                            Start date:24/06/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff61de10000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:42:54
                            Start date:24/06/2021
                            Path:C:\Windows\System32\ARP.EXE
                            Wow64 process (32bit):false
                            Commandline:'C:\Windows\System32\arp.exe' -a
                            Imagebase:0x7ff7433a0000
                            File size:25600 bytes
                            MD5 hash:D0F33D464A967DA483BBEEFE4D9D3683
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:42:54
                            Start date:24/06/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff61de10000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:43:00
                            Start date:24/06/2021
                            Path:C:\Windows\System32\ARP.EXE
                            Wow64 process (32bit):false
                            Commandline:'C:\Windows\System32\arp.exe' -a
                            Imagebase:0x7ff7433a0000
                            File size:25600 bytes
                            MD5 hash:D0F33D464A967DA483BBEEFE4D9D3683
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:43:01
                            Start date:24/06/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff61de10000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:43:02
                            Start date:24/06/2021
                            Path:C:\Windows\System32\ARP.EXE
                            Wow64 process (32bit):false
                            Commandline:'C:\Windows\System32\arp.exe' -a
                            Imagebase:0x7ff7433a0000
                            File size:25600 bytes
                            MD5 hash:D0F33D464A967DA483BBEEFE4D9D3683
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:43:02
                            Start date:24/06/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff61de10000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:43:08
                            Start date:24/06/2021
                            Path:C:\Windows\System32\ARP.EXE
                            Wow64 process (32bit):false
                            Commandline:'C:\Windows\System32\arp.exe' -a
                            Imagebase:0x7ff7433a0000
                            File size:25600 bytes
                            MD5 hash:D0F33D464A967DA483BBEEFE4D9D3683
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            General

                            Start time:02:43:09
                            Start date:24/06/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff61de10000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Disassembly

                            Code Analysis

                            Reset < >