Loading ...

Play interactive tourEdit tour

Windows Analysis Report HSBc20210216B1.exe

Overview

General Information

Sample Name:HSBc20210216B1.exe
Analysis ID:483659
MD5:ced0f1b2afd1d48ecb5dc8a563c836c9
SHA1:d999697f2b1111b7b72603bc9bee04cbf7a3664c
SHA256:8bd91aa543ff97c07aae2a257ea7f97729c4345be8c4c4e6dea2e1aa48324bc3
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • HSBc20210216B1.exe (PID: 6404 cmdline: 'C:\Users\user\Desktop\HSBc20210216B1.exe' MD5: CED0F1B2AFD1D48ECB5DC8A563C836C9)
    • RegSvcs.exe (PID: 6648 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • NXLun.exe (PID: 6692 cmdline: 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 4088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • NXLun.exe (PID: 6780 cmdline: 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "paola.micheli@copangroup.xyz", "Password": "gibson.1990", "Host": "us2.smtp.mailhostbox.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.490503848.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000002.490503848.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000001.00000002.249871977.0000000003061000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000001.00000002.251226749.0000000004069000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000001.00000002.251226749.0000000004069000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              5.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                1.2.HSBc20210216B1.exe.412acb8.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  1.2.HSBc20210216B1.exe.412acb8.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    1.2.HSBc20210216B1.exe.412acb8.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 1 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
                      Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\HSBc20210216B1.exe' , ParentImage: C:\Users\user\Desktop\HSBc20210216B1.exe, ParentProcessId: 6404, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6648
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\HSBc20210216B1.exe' , ParentImage: C:\Users\user\Desktop\HSBc20210216B1.exe, ParentProcessId: 6404, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6648

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 1.2.HSBc20210216B1.exe.412acb8.1.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "paola.micheli@copangroup.xyz", "Password": "gibson.1990", "Host": "us2.smtp.mailhostbox.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: HSBc20210216B1.exeVirustotal: Detection: 20%Perma Link
                      Source: HSBc20210216B1.exeReversingLabs: Detection: 16%
                      Source: 5.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: HSBc20210216B1.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: HSBc20210216B1.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000005.00000003.449772837.0000000005993000.00000004.00000001.sdmp, NXLun.exe, 00000012.00000002.314896853.0000000000A92000.00000002.00020000.sdmp, NXLun.exe, 00000017.00000000.328698652.0000000000C52000.00000002.00020000.sdmp, NXLun.exe.5.dr
                      Source: Binary string: RegSvcs.pdb source: NXLun.exe, NXLun.exe.5.dr
                      Source: Joe Sandbox ViewIP Address: 208.91.199.225 208.91.199.225
                      Source: global trafficTCP traffic: 192.168.2.3:49818 -> 208.91.199.225:587
                      Source: global trafficTCP traffic: 192.168.2.3:49818 -> 208.91.199.225:587
                      Source: RegSvcs.exe, 00000005.00000002.494922031.00000000026E1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: RegSvcs.exe, 00000005.00000002.494922031.00000000026E1000.00000004.00000001.sdmpString found in binary or memory: http://5c3LgjsgKO5q1r.com
                      Source: RegSvcs.exe, 00000005.00000002.494922031.00000000026E1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: RegSvcs.exe, 00000005.00000002.496366512.0000000002A40000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: RegSvcs.exe, 00000005.00000002.494922031.00000000026E1000.00000004.00000001.sdmpString found in binary or memory: http://jdPkJL.com
                      Source: RegSvcs.exe, 00000005.00000002.496366512.0000000002A40000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0A
                      Source: RegSvcs.exe, 00000005.00000002.496366512.0000000002A40000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                      Source: HSBc20210216B1.exe, 00000001.00000003.231640927.00000000060BF000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: HSBc20210216B1.exe, 00000001.00000003.232393260.00000000060C0000.00000004.00000001.sdmp, HSBc20210216B1.exe, 00000001.00000003.231752467.00000000060C0000.00000004.00000001.sdmp, HSBc20210216B1.exe, 00000001.00000003.232607353.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: HSBc20210216B1.exe, 00000001.00000003.232607353.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com-y
                      Source: HSBc20210216B1.exe, 00000001.00000003.231789778.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com.12.p
                      Source: HSBc20210216B1.exe, 00000001.00000003.231752467.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com3
                      Source: HSBc20210216B1.exe, 00000001.00000003.232607353.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comB4
                      Source: HSBc20210216B1.exe, 00000001.00000003.232808189.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comBv
                      Source: HSBc20210216B1.exe, 00000001.00000003.232393260.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comIyU4
                      Source: HSBc20210216B1.exe, 00000001.00000003.232607353.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
                      Source: HSBc20210216B1.exe, 00000001.00000003.231865905.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTCwy
                      Source: HSBc20210216B1.exe, 00000001.00000003.232393260.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comcRyJ4
                      Source: HSBc20210216B1.exe, 00000001.00000003.232393260.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comjw
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: HSBc20210216B1.exe, 00000001.00000003.231752467.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-u
                      Source: HSBc20210216B1.exe, 00000001.00000003.232808189.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comnv
                      Source: HSBc20210216B1.exe, 00000001.00000003.232548828.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comvw
                      Source: HSBc20210216B1.exe, 00000001.00000003.232607353.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comw
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: HSBc20210216B1.exe, 00000001.00000003.235658575.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: HSBc20210216B1.exe, 00000001.00000003.236025933.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers2qa4n
                      Source: HSBc20210216B1.exe, 00000001.00000003.236619080.00000000060C0000.00000004.00000001.sdmp, HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: HSBc20210216B1.exe, 00000001.00000003.237063097.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersGqV4
                      Source: HSBc20210216B1.exe, 00000001.00000003.236025933.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersXq
                      Source: HSBc20210216B1.exe, 00000001.00000003.235700772.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersp
                      Source: HSBc20210216B1.exe, 00000001.00000002.254016500.0000000006090000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com=
                      Source: HSBc20210216B1.exe, 00000001.00000002.254016500.0000000006090000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFn
                      Source: HSBc20210216B1.exe, 00000001.00000002.254016500.0000000006090000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: HSBc20210216B1.exe, 00000001.00000002.254016500.0000000006090000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comceto
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: HSBc20210216B1.exe, 00000001.00000003.231266137.00000000060BE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: HSBc20210216B1.exe, 00000001.00000003.231266137.00000000060BE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnM4
                      Source: HSBc20210216B1.exe, 00000001.00000003.231266137.00000000060BE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cne4
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: HSBc20210216B1.exe, 00000001.00000003.233470064.0000000006093000.00000004.00000001.sdmp, HSBc20210216B1.exe, 00000001.00000003.234328883.000000000609C000.00000004.00000001.sdmp, HSBc20210216B1.exe, 00000001.00000003.234019758.000000000609B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: HSBc20210216B1.exe, 00000001.00000003.233470064.0000000006093000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/)
                      Source: HSBc20210216B1.exe, 00000001.00000003.234118051.000000000609B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/;
                      Source: HSBc20210216B1.exe, 00000001.00000003.233470064.0000000006093000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/D
                      Source: HSBc20210216B1.exe, 00000001.00000003.234243906.000000000609B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/E
                      Source: HSBc20210216B1.exe, 00000001.00000003.233470064.0000000006093000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/adnl
                      Source: HSBc20210216B1.exe, 00000001.00000003.234243906.000000000609B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: HSBc20210216B1.exe, 00000001.00000003.234243906.000000000609B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/3
                      Source: HSBc20210216B1.exe, 00000001.00000003.233790965.0000000006096000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/N
                      Source: HSBc20210216B1.exe, 00000001.00000003.234328883.000000000609C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/x
                      Source: HSBc20210216B1.exe, 00000001.00000003.234328883.000000000609C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/n
                      Source: HSBc20210216B1.exe, 00000001.00000003.234328883.000000000609C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t-u
                      Source: HSBc20210216B1.exe, 00000001.00000003.233790965.0000000006096000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/x
                      Source: HSBc20210216B1.exe, 00000001.00000003.235320871.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: HSBc20210216B1.exe, 00000001.00000003.231752467.00000000060C0000.00000004.00000001.sdmp, HSBc20210216B1.exe, 00000001.00000003.231718416.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: HSBc20210216B1.exe, 00000001.00000003.231752467.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
                      Source: RegSvcs.exe, 00000005.00000002.494922031.00000000026E1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: RegSvcs.exe, 00000005.00000002.494922031.00000000026E1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: RegSvcs.exe, 00000005.00000002.496366512.0000000002A40000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: HSBc20210216B1.exe, 00000001.00000002.251226749.0000000004069000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.490503848.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: RegSvcs.exe, 00000005.00000002.494922031.00000000026E1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: us2.smtp.mailhostbox.com

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      Source: HSBc20210216B1.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeCode function: 1_2_0153E5D8
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeCode function: 1_2_0153E5CA
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeCode function: 1_2_0153BC34
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeCode function: 1_2_0507266F
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeCode function: 1_2_050740C8
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeCode function: 1_2_050729C8
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeCode function: 1_2_05072779
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeCode function: 1_2_05070006
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeCode function: 1_2_05072258
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeCode function: 1_2_05076C40
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeCode function: 1_2_050729C0
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeCode function: 1_2_05072BAC
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeCode function: 1_2_05072BF8
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeCode function: 1_2_056664C0
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeCode function: 1_2_056664B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_005D38D8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_005DE68E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_005D9768
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_005D0040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_005DAA98
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_005DAB48
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00C094F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00C066D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00C04A50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00C01ED0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00C07E40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00C04078
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00C0D2F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00C039E8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00C08E00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00C02FB0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_026B47A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_026B46FF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_026BD670
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05965690
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_005D3991
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_005D0B18
                      Source: HSBc20210216B1.exe, 00000001.00000002.249036318.0000000000E02000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameHostProtectionAttribu.exeh$ vs HSBc20210216B1.exe
                      Source: HSBc20210216B1.exe, 00000001.00000002.251226749.0000000004069000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameuEYPcZODvIXvprdFHyURaffEdgGZJ.exe4 vs HSBc20210216B1.exe
                      Source: HSBc20210216B1.exe, 00000001.00000002.256091516.00000000091C0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs HSBc20210216B1.exe
                      Source: HSBc20210216B1.exeBinary or memory string: OriginalFilenameHostProtectionAttribu.exeh$ vs HSBc20210216B1.exe
                      Source: HSBc20210216B1.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: HSBc20210216B1.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: HSBc20210216B1.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                      Source: HSBc20210216B1.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: HSBc20210216B1.exeVirustotal: Detection: 20%
                      Source: HSBc20210216B1.exeReversingLabs: Detection: 16%
                      Source: HSBc20210216B1.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\HSBc20210216B1.exe 'C:\Users\user\Desktop\HSBc20210216B1.exe'
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HSBc20210216B1.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@7/6@1/1
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4088:120:WilError_01
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeMutant created: \Sessions\1\BaseNamedObjects\oKxHbXByQgAPcziaddzXctj
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6832:120:WilError_01
                      Source: HSBc20210216B1.exe, u0003u2001.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.0.HSBc20210216B1.exe.d60000.0.unpack, u0003u2001.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.2.HSBc20210216B1.exe.d60000.0.unpack, u0003u2001.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: HSBc20210216B1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: HSBc20210216B1.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000005.00000003.449772837.0000000005993000.00000004.00000001.sdmp, NXLun.exe, 00000012.00000002.314896853.0000000000A92000.00000002.00020000.sdmp, NXLun.exe, 00000017.00000000.328698652.0000000000C52000.00000002.00020000.sdmp, NXLun.exe.5.dr
                      Source: Binary string: RegSvcs.pdb source: NXLun.exe, NXLun.exe.5.dr

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: HSBc20210216B1.exe, u0003u2001.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.HSBc20210216B1.exe.d60000.0.unpack, u0003u2001.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.2.HSBc20210216B1.exe.d60000.0.unpack, u0003u2001.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_005DD828 push eax; retf 005Ah
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_005D7191 push 8BD08B05h; iretd
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_005DFB78 pushfd ; retf
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_026B451C push ss; retf
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_026B5EC8 push ds; retf
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.79300898434
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NXLunJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NXLunJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe:Zone.Identifier read attributes | delete
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000001.00000002.249871977.0000000003061000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: HSBc20210216B1.exe PID: 6404, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: HSBc20210216B1.exe, 00000001.00000002.249871977.0000000003061000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: HSBc20210216B1.exe, 00000001.00000002.249871977.0000000003061000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exe TID: 6408Thread sleep time: -36606s >= -30000s
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exe TID: 6456Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe TID: 6084Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe TID: 2440Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 9375
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 474
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeThread delayed: delay time: 36606
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477
                      Source: HSBc20210216B1.exe, 00000001.00000002.249871977.0000000003061000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: HSBc20210216B1.exe, 00000001.00000002.249871977.0000000003061000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: HSBc20210216B1.exe, 00000001.00000002.249871977.0000000003061000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: HSBc20210216B1.exe, 00000001.00000002.249871977.0000000003061000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: HSBc20210216B1.exe, 00000001.00000002.249871977.0000000003061000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: HSBc20210216B1.exe, 00000001.00000002.249871977.0000000003061000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: HSBc20210216B1.exe, 00000001.00000002.249871977.0000000003061000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: HSBc20210216B1.exe, 00000001.00000002.249871977.0000000003061000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: RegSvcs.exe, 00000005.00000002.498042853.000000000597E000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess token adjusted: Debug
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00C094F0 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Writes to foreign memory regionsShow sources
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 695008
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: RegSvcs.exe, 00000005.00000002.494135820.0000000001140000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: RegSvcs.exe, 00000005.00000002.494135820.0000000001140000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: RegSvcs.exe, 00000005.00000002.494135820.0000000001140000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: RegSvcs.exe, 00000005.00000002.494135820.0000000001140000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Users\user\Desktop\HSBc20210216B1.exe VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.HSBc20210216B1.exe.412acb8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.HSBc20210216B1.exe.412acb8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.490503848.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.251226749.0000000004069000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.252492077.00000000042C5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.494922031.00000000026E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: HSBc20210216B1.exe PID: 6404, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6648, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: Yara matchFile source: 00000005.00000002.494922031.00000000026E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6648, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.HSBc20210216B1.exe.412acb8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.HSBc20210216B1.exe.412acb8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.490503848.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.251226749.0000000004069000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.252492077.00000000042C5000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.494922031.00000000026E1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: HSBc20210216B1.exe PID: 6404, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6648, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Registry Run Keys / Startup Folder1Process Injection212File and Directory Permissions Modification1OS Credential Dumping2System Information Discovery114Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Disable or Modify Tools1Credentials in Registry1Query Registry1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerSecurity Software Discovery211SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing13LSA SecretsVirtualization/Sandbox Evasion131SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion131DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection212Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      HSBc20210216B1.exe21%VirustotalBrowse
                      HSBc20210216B1.exe17%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\NXLun\NXLun.exe0%MetadefenderBrowse
                      C:\Users\user\AppData\Roaming\NXLun\NXLun.exe0%ReversingLabs

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      5.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.carterandcone.comn-u0%URL Reputationsafe
                      http://www.carterandcone.comB40%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.carterandcone.comnv0%Avira URL Cloudsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/30%Avira URL Cloudsafe
                      http://www.carterandcone.com30%Avira URL Cloudsafe
                      http://www.carterandcone.comvw0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/t-u0%Avira URL Cloudsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.carterandcone.com.12.p0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.founder.com.cn/cnM40%Avira URL Cloudsafe
                      http://www.carterandcone.comIyU40%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/)0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/N0%Avira URL Cloudsafe
                      http://5c3LgjsgKO5q1r.com0%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.fontbureau.com=0%Avira URL Cloudsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.carterandcone.comBv0%Avira URL Cloudsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.carterandcone.comTC0%URL Reputationsafe
                      http://www.carterandcone.com-y0%Avira URL Cloudsafe
                      http://www.carterandcone.comcRyJ40%Avira URL Cloudsafe
                      http://www.founder.com.cn/cne40%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/E0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/D0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.fontbureau.coma0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/x0%URL Reputationsafe
                      http://jdPkJL.com0%Avira URL Cloudsafe
                      https://api.ipify.org%$0%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/;0%URL Reputationsafe
                      http://www.fontbureau.comceto0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/x0%URL Reputationsafe
                      http://www.monotype.0%URL Reputationsafe
                      http://www.carterandcone.comjw0%Avira URL Cloudsafe
                      http://www.carterandcone.comw0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/n0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/adnl0%URL Reputationsafe
                      http://www.zhongyicts.com.cno.0%URL Reputationsafe
                      http://ocsp.sectigo.com0A0%URL Reputationsafe
                      http://www.carterandcone.comTCwy0%Avira URL Cloudsafe
                      http://www.fontbureau.comFn0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      us2.smtp.mailhostbox.com
                      208.91.199.225
                      truefalse
                        high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1RegSvcs.exe, 00000005.00000002.494922031.00000000026E1000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        low
                        http://www.fontbureau.com/designersGHSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpfalse
                          high
                          http://www.carterandcone.comn-uHSBc20210216B1.exe, 00000001.00000003.231752467.00000000060C0000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://www.fontbureau.com/designers/?HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpfalse
                            high
                            http://www.carterandcone.comB4HSBc20210216B1.exe, 00000001.00000003.232607353.00000000060C0000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            http://www.founder.com.cn/cn/bTheHSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://us2.smtp.mailhostbox.comRegSvcs.exe, 00000005.00000002.496366512.0000000002A40000.00000004.00000001.sdmpfalse
                              high
                              http://www.fontbureau.com/designers?HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpfalse
                                high
                                http://www.fontbureau.com/designersGqV4HSBc20210216B1.exe, 00000001.00000003.237063097.00000000060C0000.00000004.00000001.sdmpfalse
                                  high
                                  http://www.carterandcone.comnvHSBc20210216B1.exe, 00000001.00000003.232808189.00000000060C0000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.tiro.comHSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.fontbureau.com/designersHSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpfalse
                                    high
                                    http://www.jiyu-kobo.co.jp/jp/3HSBc20210216B1.exe, 00000001.00000003.234243906.000000000609B000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.carterandcone.com3HSBc20210216B1.exe, 00000001.00000003.231752467.00000000060C0000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.carterandcone.comvwHSBc20210216B1.exe, 00000001.00000003.232548828.00000000060C0000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.goodfont.co.krHSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.jiyu-kobo.co.jp/t-uHSBc20210216B1.exe, 00000001.00000003.234328883.000000000609C000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.carterandcone.comHSBc20210216B1.exe, 00000001.00000003.232393260.00000000060C0000.00000004.00000001.sdmp, HSBc20210216B1.exe, 00000001.00000003.231752467.00000000060C0000.00000004.00000001.sdmp, HSBc20210216B1.exe, 00000001.00000003.232607353.00000000060C0000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.sajatypeworks.comHSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.typography.netDHSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.founder.com.cn/cn/cTheHSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.carterandcone.com.12.pHSBc20210216B1.exe, 00000001.00000003.231789778.00000000060C0000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmHSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://fontfabrik.comHSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.founder.com.cn/cnM4HSBc20210216B1.exe, 00000001.00000003.231266137.00000000060BE000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.carterandcone.comIyU4HSBc20210216B1.exe, 00000001.00000003.232393260.00000000060C0000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.galapagosdesign.com/DPleaseHSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.jiyu-kobo.co.jp/)HSBc20210216B1.exe, 00000001.00000003.233470064.0000000006093000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://www.jiyu-kobo.co.jp/jp/NHSBc20210216B1.exe, 00000001.00000003.233790965.0000000006096000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://5c3LgjsgKO5q1r.comRegSvcs.exe, 00000005.00000002.494922031.00000000026E1000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://api.ipify.org%GETMozilla/5.0RegSvcs.exe, 00000005.00000002.494922031.00000000026E1000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    low
                                    http://www.fonts.comHSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpfalse
                                      high
                                      http://www.sandoll.co.krHSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.urwpp.deDPleaseHSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.zhongyicts.com.cnHSBc20210216B1.exe, 00000001.00000003.231752467.00000000060C0000.00000004.00000001.sdmp, HSBc20210216B1.exe, 00000001.00000003.231718416.00000000060C0000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.fontbureau.com/designerspHSBc20210216B1.exe, 00000001.00000003.235700772.00000000060C0000.00000004.00000001.sdmpfalse
                                        high
                                        http://www.sakkal.comHSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipHSBc20210216B1.exe, 00000001.00000002.251226749.0000000004069000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.490503848.0000000000402000.00000040.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.fontbureau.com=HSBc20210216B1.exe, 00000001.00000002.254016500.0000000006090000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        low
                                        http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#RegSvcs.exe, 00000005.00000002.496366512.0000000002A40000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.apache.org/licenses/LICENSE-2.0HSBc20210216B1.exe, 00000001.00000003.231640927.00000000060BF000.00000004.00000001.sdmpfalse
                                          high
                                          http://www.fontbureau.comHSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpfalse
                                            high
                                            http://DynDns.comDynDNSRegSvcs.exe, 00000005.00000002.494922031.00000000026E1000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.carterandcone.comBvHSBc20210216B1.exe, 00000001.00000003.232808189.00000000060C0000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            https://sectigo.com/CPS0RegSvcs.exe, 00000005.00000002.496366512.0000000002A40000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegSvcs.exe, 00000005.00000002.494922031.00000000026E1000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.carterandcone.comTCHSBc20210216B1.exe, 00000001.00000003.232607353.00000000060C0000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.carterandcone.com-yHSBc20210216B1.exe, 00000001.00000003.232607353.00000000060C0000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.carterandcone.comcRyJ4HSBc20210216B1.exe, 00000001.00000003.232393260.00000000060C0000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.founder.com.cn/cne4HSBc20210216B1.exe, 00000001.00000003.231266137.00000000060BE000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.jiyu-kobo.co.jp/EHSBc20210216B1.exe, 00000001.00000003.234243906.000000000609B000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.jiyu-kobo.co.jp/DHSBc20210216B1.exe, 00000001.00000003.233470064.0000000006093000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.jiyu-kobo.co.jp/jp/HSBc20210216B1.exe, 00000001.00000003.234243906.000000000609B000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.fontbureau.comaHSBc20210216B1.exe, 00000001.00000002.254016500.0000000006090000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.jiyu-kobo.co.jp/jp/xHSBc20210216B1.exe, 00000001.00000003.234328883.000000000609C000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://jdPkJL.comRegSvcs.exe, 00000005.00000002.494922031.00000000026E1000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            https://api.ipify.org%$RegSvcs.exe, 00000005.00000002.494922031.00000000026E1000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            low
                                            http://www.carterandcone.comlHSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.jiyu-kobo.co.jp/;HSBc20210216B1.exe, 00000001.00000003.234118051.000000000609B000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.fontbureau.com/designers/cabarga.htmlNHSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpfalse
                                              high
                                              http://www.fontbureau.com/designers2qa4nHSBc20210216B1.exe, 00000001.00000003.236025933.00000000060C0000.00000004.00000001.sdmpfalse
                                                high
                                                http://www.fontbureau.comcetoHSBc20210216B1.exe, 00000001.00000002.254016500.0000000006090000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.founder.com.cn/cnHSBc20210216B1.exe, 00000001.00000003.231266137.00000000060BE000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                unknown
                                                http://www.jiyu-kobo.co.jp/xHSBc20210216B1.exe, 00000001.00000003.233790965.0000000006096000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                unknown
                                                http://www.fontbureau.com/designers/frere-jones.htmlHSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpfalse
                                                  high
                                                  http://www.monotype.HSBc20210216B1.exe, 00000001.00000003.235320871.00000000060C0000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.carterandcone.comjwHSBc20210216B1.exe, 00000001.00000003.232393260.00000000060C0000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.carterandcone.comwHSBc20210216B1.exe, 00000001.00000003.232607353.00000000060C0000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.jiyu-kobo.co.jp/HSBc20210216B1.exe, 00000001.00000003.233470064.0000000006093000.00000004.00000001.sdmp, HSBc20210216B1.exe, 00000001.00000003.234328883.000000000609C000.00000004.00000001.sdmp, HSBc20210216B1.exe, 00000001.00000003.234019758.000000000609B000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.jiyu-kobo.co.jp/nHSBc20210216B1.exe, 00000001.00000003.234328883.000000000609C000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.jiyu-kobo.co.jp/adnlHSBc20210216B1.exe, 00000001.00000003.233470064.0000000006093000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.zhongyicts.com.cno.HSBc20210216B1.exe, 00000001.00000003.231752467.00000000060C0000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.fontbureau.com/designers8HSBc20210216B1.exe, 00000001.00000003.236619080.00000000060C0000.00000004.00000001.sdmp, HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpfalse
                                                    high
                                                    http://ocsp.sectigo.com0ARegSvcs.exe, 00000005.00000002.496366512.0000000002A40000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://www.fontbureau.com/designers/HSBc20210216B1.exe, 00000001.00000003.235658575.00000000060C0000.00000004.00000001.sdmpfalse
                                                      high
                                                      http://www.carterandcone.comTCwyHSBc20210216B1.exe, 00000001.00000003.231865905.00000000060C0000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      http://www.fontbureau.comFnHSBc20210216B1.exe, 00000001.00000002.254016500.0000000006090000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      http://www.fontbureau.com/designersXqHSBc20210216B1.exe, 00000001.00000003.236025933.00000000060C0000.00000004.00000001.sdmpfalse
                                                        high

                                                        Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        208.91.199.225
                                                        us2.smtp.mailhostbox.comUnited States
                                                        394695PUBLIC-DOMAIN-REGISTRYUSfalse

                                                        General Information

                                                        Joe Sandbox Version:33.0.0 White Diamond
                                                        Analysis ID:483659
                                                        Start date:15.09.2021
                                                        Start time:11:04:40
                                                        Joe Sandbox Product:CloudBasic
                                                        Overall analysis duration:0h 10m 8s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:light
                                                        Sample file name:HSBc20210216B1.exe
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                        Number of analysed new started processes analysed:31
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • HDC enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Detection:MAL
                                                        Classification:mal100.troj.adwa.spyw.evad.winEXE@7/6@1/1
                                                        EGA Information:Failed
                                                        HDC Information:
                                                        • Successful, ratio: 0.1% (good quality ratio 0.1%)
                                                        • Quality average: 80.1%
                                                        • Quality standard deviation: 17.2%
                                                        HCA Information:
                                                        • Successful, ratio: 99%
                                                        • Number of executed functions: 0
                                                        • Number of non-executed functions: 0
                                                        Cookbook Comments:
                                                        • Adjust boot time
                                                        • Enable AMSI
                                                        • Found application associated with file extension: .exe
                                                        Warnings:
                                                        Show All
                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                        • Excluded IPs from analysis (whitelisted): 92.122.145.220, 23.35.236.56, 20.82.210.154, 13.107.4.50, 8.248.135.254, 67.27.233.254, 67.27.159.254, 67.26.139.254, 8.248.145.254, 20.54.110.249, 40.112.88.60, 23.216.77.208, 23.216.77.209
                                                        • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, b1ns.c-0001.c-msedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, b1ns.au-msedge.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        11:05:47API Interceptor1x Sleep call for process: HSBc20210216B1.exe modified
                                                        11:06:00API Interceptor731x Sleep call for process: RegSvcs.exe modified
                                                        11:06:10AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NXLun C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                        11:06:18AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run NXLun C:\Users\user\AppData\Roaming\NXLun\NXLun.exe

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        208.91.199.225POINQUIRYRFQ676889.exeGet hashmaliciousBrowse
                                                          qiQvJ3jGU2.exeGet hashmaliciousBrowse
                                                            S121093 - RE Wire Transfer - 8,000.00 USD - deposit.exeGet hashmaliciousBrowse
                                                              RFQ#MAT#Quotation No. 20077253.exeGet hashmaliciousBrowse
                                                                Payment Advice 09092021 HSBC096754BK56CBREF.exeGet hashmaliciousBrowse
                                                                  PaymentReceipt.docGet hashmaliciousBrowse
                                                                    Swift Transfer Copy mt103_PDF.exeGet hashmaliciousBrowse
                                                                      SecuriteInfo.com.MachineLearning.Anomalous.94.8891.exeGet hashmaliciousBrowse
                                                                        PURCHASE ORDER 2021.exeGet hashmaliciousBrowse
                                                                          L9d4lSc9LF4Yv1t.exeGet hashmaliciousBrowse
                                                                            P.O_345.exeGet hashmaliciousBrowse
                                                                              revised order-number 3A6.exeGet hashmaliciousBrowse
                                                                                QUOTATION -PDF-SCAN-COPY.exeGet hashmaliciousBrowse
                                                                                  Urgent RFQ #2105031.pdf.exeGet hashmaliciousBrowse
                                                                                    Listed Items Order.exeGet hashmaliciousBrowse
                                                                                      order-2021-PO # 0834.xlsxGet hashmaliciousBrowse
                                                                                        qPlRnI13fW.exeGet hashmaliciousBrowse
                                                                                          PO.exeGet hashmaliciousBrowse
                                                                                            VOn3J2hVHa.exeGet hashmaliciousBrowse
                                                                                              BANK REPORT AUTHORIZATION LETTER.exeGet hashmaliciousBrowse

                                                                                                Domains

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                us2.smtp.mailhostbox.comPOINQUIRYRFQ676889.exeGet hashmaliciousBrowse
                                                                                                • 208.91.199.223
                                                                                                PO- 45020032 Juv#U00e9l AS.exeGet hashmaliciousBrowse
                                                                                                • 208.91.199.224
                                                                                                48q74tT5IK.exeGet hashmaliciousBrowse
                                                                                                • 208.91.199.224
                                                                                                qiQvJ3jGU2.exeGet hashmaliciousBrowse
                                                                                                • 208.91.199.225
                                                                                                S121093 - RE Wire Transfer - 8,000.00 USD - deposit.exeGet hashmaliciousBrowse
                                                                                                • 208.91.199.224
                                                                                                Final Sept Order #0921.exeGet hashmaliciousBrowse
                                                                                                • 208.91.199.224
                                                                                                DHL Express Invoice.exeGet hashmaliciousBrowse
                                                                                                • 208.91.198.143
                                                                                                ee5s192YZ34Ybve.exeGet hashmaliciousBrowse
                                                                                                • 208.91.199.223
                                                                                                Payment Advice 09092021 HSBC096754BK56CBREF.exeGet hashmaliciousBrowse
                                                                                                • 208.91.199.224
                                                                                                sapa list.docGet hashmaliciousBrowse
                                                                                                • 208.91.198.143
                                                                                                RFQ#MAT#Quotation No. 20077253.exeGet hashmaliciousBrowse
                                                                                                • 208.91.199.225
                                                                                                04142021_10RD0207S0N0000,pdf.exeGet hashmaliciousBrowse
                                                                                                • 208.91.199.223
                                                                                                HY19071 PI.exeGet hashmaliciousBrowse
                                                                                                • 208.91.198.143
                                                                                                PO_Contract_ANR07152112_20210715181907__110.exeGet hashmaliciousBrowse
                                                                                                • 208.91.198.143
                                                                                                RFQ-#80986-3580.exeGet hashmaliciousBrowse
                                                                                                • 208.91.199.224
                                                                                                Bank swift copy.exeGet hashmaliciousBrowse
                                                                                                • 208.91.199.224
                                                                                                i9fnXDoul7.exeGet hashmaliciousBrowse
                                                                                                • 208.91.199.225
                                                                                                Shipping Doc_968018592077_pdf.exeGet hashmaliciousBrowse
                                                                                                • 208.91.198.143
                                                                                                AWB_968018592077_Invoice_pdf.exeGet hashmaliciousBrowse
                                                                                                • 208.91.198.143
                                                                                                #QuotationEX-2-0093-Q-FOB@2021-10-09.exeGet hashmaliciousBrowse
                                                                                                • 208.91.199.224

                                                                                                ASN

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                PUBLIC-DOMAIN-REGISTRYUSPOINQUIRYRFQ676889.exeGet hashmaliciousBrowse
                                                                                                • 208.91.199.223
                                                                                                PO- 45020032 Juv#U00e9l AS.exeGet hashmaliciousBrowse
                                                                                                • 208.91.199.224
                                                                                                Qoutation for Strips.docGet hashmaliciousBrowse
                                                                                                • 162.215.241.145
                                                                                                48q74tT5IK.exeGet hashmaliciousBrowse
                                                                                                • 208.91.199.224
                                                                                                qiQvJ3jGU2.exeGet hashmaliciousBrowse
                                                                                                • 208.91.199.225
                                                                                                S121093 - RE Wire Transfer - 8,000.00 USD - deposit.exeGet hashmaliciousBrowse
                                                                                                • 208.91.199.224
                                                                                                angelzx.exeGet hashmaliciousBrowse
                                                                                                • 162.215.241.145
                                                                                                Final Sept Order #0921.exeGet hashmaliciousBrowse
                                                                                                • 208.91.199.224
                                                                                                PO KV18RE001-A5193.docGet hashmaliciousBrowse
                                                                                                • 199.79.62.16
                                                                                                DHL Express Invoice.exeGet hashmaliciousBrowse
                                                                                                • 208.91.198.143
                                                                                                0zWKZlSOqL.exeGet hashmaliciousBrowse
                                                                                                • 199.79.62.16
                                                                                                ee5s192YZ34Ybve.exeGet hashmaliciousBrowse
                                                                                                • 208.91.199.224
                                                                                                Payment advice_103.exeGet hashmaliciousBrowse
                                                                                                • 199.79.62.145
                                                                                                QUOTATION.exeGet hashmaliciousBrowse
                                                                                                • 162.215.249.19
                                                                                                diagram-595.docGet hashmaliciousBrowse
                                                                                                • 116.206.105.115
                                                                                                Payment Advice 09092021 HSBC096754BK56CBREF.exeGet hashmaliciousBrowse
                                                                                                • 208.91.199.224
                                                                                                LJUNGBY QUOTATION.docGet hashmaliciousBrowse
                                                                                                • 162.215.241.145
                                                                                                TPL020321.docGet hashmaliciousBrowse
                                                                                                • 162.215.241.145
                                                                                                sapa list.docGet hashmaliciousBrowse
                                                                                                • 208.91.198.143
                                                                                                diagram-378.docGet hashmaliciousBrowse
                                                                                                • 116.206.105.115

                                                                                                JA3 Fingerprints

                                                                                                No context

                                                                                                Dropped Files

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                C:\Users\user\AppData\Roaming\NXLun\NXLun.exeSOA for V.R at USD.exeGet hashmaliciousBrowse
                                                                                                  required.exeGet hashmaliciousBrowse
                                                                                                    Bank details.exeGet hashmaliciousBrowse
                                                                                                      Payment Advice_JPEG.exeGet hashmaliciousBrowse
                                                                                                        SOA.exeGet hashmaliciousBrowse
                                                                                                          pleas.exeGet hashmaliciousBrowse
                                                                                                            MHHHG_9847654673T3RDNVAASGU.NET.exeGet hashmaliciousBrowse
                                                                                                              70654 SSEBACT.exeGet hashmaliciousBrowse
                                                                                                                AUG. SOA -USD53,123.16.exeGet hashmaliciousBrowse
                                                                                                                  Yingtron Miga Trading - Request for Quotation.exeGet hashmaliciousBrowse
                                                                                                                    SecuriteInfo.com.BackDoor.SpyBotNET.25.7070.exeGet hashmaliciousBrowse
                                                                                                                      PO_Contract_ANR07152112_20210715181907__110.exeGet hashmaliciousBrowse
                                                                                                                        TWM#U007e-04987474848GRRT.exeGet hashmaliciousBrowse
                                                                                                                          OA9862qYq7.exeGet hashmaliciousBrowse
                                                                                                                            PO#-BRU-2020-0010.exeGet hashmaliciousBrowse
                                                                                                                              PO 901103237.exeGet hashmaliciousBrowse
                                                                                                                                s8uDIcv0XT.exeGet hashmaliciousBrowse
                                                                                                                                  Bank Payment Transfer for PI. BT-GJ21001.exeGet hashmaliciousBrowse
                                                                                                                                    TT- Swift Copy.exeGet hashmaliciousBrowse
                                                                                                                                      323-TG-0653.exeGet hashmaliciousBrowse

                                                                                                                                        Created / dropped Files

                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HSBc20210216B1.exe.log
                                                                                                                                        Process:C:\Users\user\Desktop\HSBc20210216B1.exe
                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1216
                                                                                                                                        Entropy (8bit):5.355304211458859
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                                                                                                        MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                                                                                                        SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                                                                                                        SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                                                                                                        SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                                                                                                        Malicious:true
                                                                                                                                        Reputation:high, very likely benign file
                                                                                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NXLun.exe.log
                                                                                                                                        Process:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                        Category:modified
                                                                                                                                        Size (bytes):142
                                                                                                                                        Entropy (8bit):5.090621108356562
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                                                                                                        MD5:8C0458BB9EA02D50565175E38D577E35
                                                                                                                                        SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                                                                                                        SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                                                                                                        SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                                                                                                        Malicious:false
                                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                                                                                                                        C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):45152
                                                                                                                                        Entropy (8bit):6.149629800481177
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:768:bBbSoy+SdIBf0k2dsYyV6Iq87PiU9FViaLmf:EoOIBf0ddsYy8LUjVBC
                                                                                                                                        MD5:2867A3817C9245F7CF518524DFD18F28
                                                                                                                                        SHA1:D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
                                                                                                                                        SHA-256:43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                                                                                                                                        SHA-512:7D3D3DBB42B7966644D716AA9CBC75327B2ACB02E43C61F1DAD4AFE5521F9FE248B33347DFE15B637FB33EB97CDB322BCAEAE08BAE3F2FD863A9AD9B3A4D6B42
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                        Joe Sandbox View:
                                                                                                                                        • Filename: SOA for V.R at USD.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: required.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: Bank details.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: Payment Advice_JPEG.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: SOA.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: pleas.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: MHHHG_9847654673T3RDNVAASGU.NET.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: 70654 SSEBACT.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: AUG. SOA -USD53,123.16.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: Yingtron Miga Trading - Request for Quotation.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: SecuriteInfo.com.BackDoor.SpyBotNET.25.7070.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: PO_Contract_ANR07152112_20210715181907__110.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: TWM#U007e-04987474848GRRT.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: OA9862qYq7.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: PO#-BRU-2020-0010.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: PO 901103237.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: s8uDIcv0XT.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: Bank Payment Transfer for PI. BT-GJ21001.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: TT- Swift Copy.exe, Detection: malicious, Browse
                                                                                                                                        • Filename: 323-TG-0653.exe, Detection: malicious, Browse
                                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...zX.Z..............0..d..........V.... ........@.. ..............................."....`.....................................O.......8............r..`>.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...
                                                                                                                                        C:\Windows\System32\drivers\etc\hosts
                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                        Category:modified
                                                                                                                                        Size (bytes):11
                                                                                                                                        Entropy (8bit):2.663532754804255
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:iLE:iLE
                                                                                                                                        MD5:B24D295C1F84ECBFB566103374FB91C5
                                                                                                                                        SHA1:6A750D3F8B45C240637332071D34B403FA1FF55A
                                                                                                                                        SHA-256:4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4
                                                                                                                                        SHA-512:9BE279BFA70A859608B50EF5D30BF2345F334E5F433C410EA6A188DCAB395BFF50C95B165177E59A29261464871C11F903A9ECE55B2D900FE49A9F3C49EB88FA
                                                                                                                                        Malicious:true
                                                                                                                                        Preview: ..127.0.0.1
                                                                                                                                        \Device\ConDrv
                                                                                                                                        Process:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):1141
                                                                                                                                        Entropy (8bit):4.44831826838854
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:zKLXkb4DObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0b4DQntKKH1MqJC
                                                                                                                                        MD5:1AEB3A784552CFD2AEDEDC1D43A97A4F
                                                                                                                                        SHA1:804286AB9F8B3DE053222826A69A7CDA3492411A
                                                                                                                                        SHA-256:0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
                                                                                                                                        SHA-512:5305059BA86D5C2185E590EC036044B2A17ED9FD9863C2E3C7E7D8035EF0C79E53357AF5AE735F7D432BC70156D4BD3ACB42D100CFB05C2FB669EA22368F1415
                                                                                                                                        Malicious:false
                                                                                                                                        Preview: Microsoft (R) .NET Framework Services Installation Utility Version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                                                                                                        Static File Info

                                                                                                                                        General

                                                                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                        Entropy (8bit):7.7208885042844395
                                                                                                                                        TrID:
                                                                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                        File name:HSBc20210216B1.exe
                                                                                                                                        File size:673280
                                                                                                                                        MD5:ced0f1b2afd1d48ecb5dc8a563c836c9
                                                                                                                                        SHA1:d999697f2b1111b7b72603bc9bee04cbf7a3664c
                                                                                                                                        SHA256:8bd91aa543ff97c07aae2a257ea7f97729c4345be8c4c4e6dea2e1aa48324bc3
                                                                                                                                        SHA512:40e38ba780d4e5ef665ce3b9130eb1552683f2e93618ee54c9ab9373d30d2dbcd2b68520a40c4f063fb9f9f74dafdc97baf1b0517adb6ee4548f0f5ecde25902
                                                                                                                                        SSDEEP:12288:nc2I/yzQs2TaIpI1KJAHSQNEMePF4AabmOil3rXiELMExnifxSIW:8MIpI1KJAHD64sGEkwIW
                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~.Aa.....................n......z.... ........@.. ....................................@................................

                                                                                                                                        File Icon

                                                                                                                                        Icon Hash:f1f0f4d0eecccc71

                                                                                                                                        Static PE Info

                                                                                                                                        General

                                                                                                                                        Entrypoint:0x49f47a
                                                                                                                                        Entrypoint Section:.text
                                                                                                                                        Digitally signed:false
                                                                                                                                        Imagebase:0x400000
                                                                                                                                        Subsystem:windows gui
                                                                                                                                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                                                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                        Time Stamp:0x6141947E [Wed Sep 15 06:36:46 2021 UTC]
                                                                                                                                        TLS Callbacks:
                                                                                                                                        CLR (.Net) Version:v4.0.30319
                                                                                                                                        OS Version Major:4
                                                                                                                                        OS Version Minor:0
                                                                                                                                        File Version Major:4
                                                                                                                                        File Version Minor:0
                                                                                                                                        Subsystem Version Major:4
                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                        Entrypoint Preview

                                                                                                                                        Instruction
                                                                                                                                        jmp dword ptr [00402000h]
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al

                                                                                                                                        Data Directories

                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x9f4200x57.text
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xa20000x6b74.rsrc
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xa00000xc.reloc
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                        Sections

                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                        .text0x20000x9d4800x9d600False0.87101928614data7.79300898434IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                        .reloc0xa00000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                        .rsrc0xa20000x6b740x6c00False0.44165943287data5.12878842181IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                        Resources

                                                                                                                                        NameRVASizeTypeLanguageCountry
                                                                                                                                        RT_ICON0xa22b00x668data
                                                                                                                                        RT_ICON0xa29180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 1953594267, next used block 28725
                                                                                                                                        RT_ICON0xa2c000x128GLS_BINARY_LSB_FIRST
                                                                                                                                        RT_ICON0xa2d280xea8data
                                                                                                                                        RT_ICON0xa3bd00x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
                                                                                                                                        RT_ICON0xa44780x568GLS_BINARY_LSB_FIRST
                                                                                                                                        RT_ICON0xa49e00x25a8data
                                                                                                                                        RT_ICON0xa6f880x10a8data
                                                                                                                                        RT_ICON0xa80300x468GLS_BINARY_LSB_FIRST
                                                                                                                                        RT_GROUP_ICON0xa84980x84data
                                                                                                                                        RT_VERSION0xa851c0x4a4data
                                                                                                                                        RT_MANIFEST0xa89c00x1b4XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

                                                                                                                                        Imports

                                                                                                                                        DLLImport
                                                                                                                                        mscoree.dll_CorExeMain

                                                                                                                                        Version Infos

                                                                                                                                        DescriptionData
                                                                                                                                        Translation0x0000 0x04b0
                                                                                                                                        LegalCopyrightCopyright 2008 - 2010
                                                                                                                                        Assembly Version1.3.0.0
                                                                                                                                        InternalNameHostProtectionAttribu.exe
                                                                                                                                        FileVersion1.3.0.0
                                                                                                                                        CompanyNameWHC
                                                                                                                                        LegalTrademarks
                                                                                                                                        CommentsA little Tool where you can check the stats of your RYL - Risk Your Life - characters. Ruins of War version.
                                                                                                                                        ProductNameRYL Character Tool - RoW EU version
                                                                                                                                        ProductVersion1.3.0.0
                                                                                                                                        FileDescriptionRYL Character Tool - RoW EU version
                                                                                                                                        OriginalFilenameHostProtectionAttribu.exe

                                                                                                                                        Network Behavior

                                                                                                                                        Network Port Distribution

                                                                                                                                        TCP Packets

                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                        Sep 15, 2021 11:07:25.023073912 CEST49818587192.168.2.3208.91.199.225
                                                                                                                                        Sep 15, 2021 11:07:25.173002958 CEST58749818208.91.199.225192.168.2.3
                                                                                                                                        Sep 15, 2021 11:07:25.173178911 CEST49818587192.168.2.3208.91.199.225
                                                                                                                                        Sep 15, 2021 11:07:25.390908003 CEST58749818208.91.199.225192.168.2.3
                                                                                                                                        Sep 15, 2021 11:07:25.391247988 CEST49818587192.168.2.3208.91.199.225
                                                                                                                                        Sep 15, 2021 11:07:25.541506052 CEST58749818208.91.199.225192.168.2.3
                                                                                                                                        Sep 15, 2021 11:07:25.541528940 CEST58749818208.91.199.225192.168.2.3
                                                                                                                                        Sep 15, 2021 11:07:25.541909933 CEST49818587192.168.2.3208.91.199.225
                                                                                                                                        Sep 15, 2021 11:07:25.691804886 CEST58749818208.91.199.225192.168.2.3
                                                                                                                                        Sep 15, 2021 11:07:25.729424953 CEST49818587192.168.2.3208.91.199.225
                                                                                                                                        Sep 15, 2021 11:07:25.879793882 CEST58749818208.91.199.225192.168.2.3
                                                                                                                                        Sep 15, 2021 11:07:25.879827976 CEST58749818208.91.199.225192.168.2.3
                                                                                                                                        Sep 15, 2021 11:07:25.879841089 CEST58749818208.91.199.225192.168.2.3
                                                                                                                                        Sep 15, 2021 11:07:25.879870892 CEST58749818208.91.199.225192.168.2.3
                                                                                                                                        Sep 15, 2021 11:07:25.879884005 CEST58749818208.91.199.225192.168.2.3
                                                                                                                                        Sep 15, 2021 11:07:25.879942894 CEST49818587192.168.2.3208.91.199.225
                                                                                                                                        Sep 15, 2021 11:07:25.880003929 CEST49818587192.168.2.3208.91.199.225
                                                                                                                                        Sep 15, 2021 11:07:26.029994965 CEST58749818208.91.199.225192.168.2.3
                                                                                                                                        Sep 15, 2021 11:07:26.038964033 CEST49818587192.168.2.3208.91.199.225
                                                                                                                                        Sep 15, 2021 11:07:26.193147898 CEST58749818208.91.199.225192.168.2.3
                                                                                                                                        Sep 15, 2021 11:07:26.238986015 CEST49818587192.168.2.3208.91.199.225
                                                                                                                                        Sep 15, 2021 11:07:26.285326958 CEST49818587192.168.2.3208.91.199.225
                                                                                                                                        Sep 15, 2021 11:07:26.435360909 CEST58749818208.91.199.225192.168.2.3
                                                                                                                                        Sep 15, 2021 11:07:26.436443090 CEST49818587192.168.2.3208.91.199.225
                                                                                                                                        Sep 15, 2021 11:07:26.587333918 CEST58749818208.91.199.225192.168.2.3
                                                                                                                                        Sep 15, 2021 11:07:26.588517904 CEST49818587192.168.2.3208.91.199.225
                                                                                                                                        Sep 15, 2021 11:07:26.740755081 CEST58749818208.91.199.225192.168.2.3
                                                                                                                                        Sep 15, 2021 11:07:26.742675066 CEST49818587192.168.2.3208.91.199.225
                                                                                                                                        Sep 15, 2021 11:07:26.894594908 CEST58749818208.91.199.225192.168.2.3
                                                                                                                                        Sep 15, 2021 11:07:26.895179987 CEST49818587192.168.2.3208.91.199.225
                                                                                                                                        Sep 15, 2021 11:07:27.058990002 CEST58749818208.91.199.225192.168.2.3
                                                                                                                                        Sep 15, 2021 11:07:27.059870958 CEST49818587192.168.2.3208.91.199.225
                                                                                                                                        Sep 15, 2021 11:07:27.210155010 CEST58749818208.91.199.225192.168.2.3
                                                                                                                                        Sep 15, 2021 11:07:27.212805033 CEST49818587192.168.2.3208.91.199.225
                                                                                                                                        Sep 15, 2021 11:07:27.213078976 CEST49818587192.168.2.3208.91.199.225
                                                                                                                                        Sep 15, 2021 11:07:27.214459896 CEST49818587192.168.2.3208.91.199.225
                                                                                                                                        Sep 15, 2021 11:07:27.214610100 CEST49818587192.168.2.3208.91.199.225
                                                                                                                                        Sep 15, 2021 11:07:27.362935066 CEST58749818208.91.199.225192.168.2.3
                                                                                                                                        Sep 15, 2021 11:07:27.364438057 CEST58749818208.91.199.225192.168.2.3
                                                                                                                                        Sep 15, 2021 11:07:27.463826895 CEST58749818208.91.199.225192.168.2.3
                                                                                                                                        Sep 15, 2021 11:07:27.504678965 CEST49818587192.168.2.3208.91.199.225

                                                                                                                                        UDP Packets

                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                        Sep 15, 2021 11:05:32.170110941 CEST4919953192.168.2.38.8.8.8
                                                                                                                                        Sep 15, 2021 11:05:32.203713894 CEST53491998.8.8.8192.168.2.3
                                                                                                                                        Sep 15, 2021 11:05:58.669965982 CEST5062053192.168.2.38.8.8.8
                                                                                                                                        Sep 15, 2021 11:05:58.716447115 CEST53506208.8.8.8192.168.2.3
                                                                                                                                        Sep 15, 2021 11:06:03.401226044 CEST6493853192.168.2.38.8.8.8
                                                                                                                                        Sep 15, 2021 11:06:03.429721117 CEST53649388.8.8.8192.168.2.3
                                                                                                                                        Sep 15, 2021 11:06:24.678782940 CEST6015253192.168.2.38.8.8.8
                                                                                                                                        Sep 15, 2021 11:06:24.711296082 CEST53601528.8.8.8192.168.2.3
                                                                                                                                        Sep 15, 2021 11:06:24.766593933 CEST5754453192.168.2.38.8.8.8
                                                                                                                                        Sep 15, 2021 11:06:24.792968035 CEST53575448.8.8.8192.168.2.3
                                                                                                                                        Sep 15, 2021 11:06:27.460290909 CEST5598453192.168.2.38.8.8.8
                                                                                                                                        Sep 15, 2021 11:06:27.555267096 CEST53559848.8.8.8192.168.2.3
                                                                                                                                        Sep 15, 2021 11:06:28.117266893 CEST6418553192.168.2.38.8.8.8
                                                                                                                                        Sep 15, 2021 11:06:28.180778980 CEST53641858.8.8.8192.168.2.3
                                                                                                                                        Sep 15, 2021 11:06:28.809495926 CEST6511053192.168.2.38.8.8.8
                                                                                                                                        Sep 15, 2021 11:06:28.832197905 CEST5836153192.168.2.38.8.8.8
                                                                                                                                        Sep 15, 2021 11:06:28.838449001 CEST53651108.8.8.8192.168.2.3
                                                                                                                                        Sep 15, 2021 11:06:28.877655983 CEST53583618.8.8.8192.168.2.3
                                                                                                                                        Sep 15, 2021 11:06:29.213187933 CEST6349253192.168.2.38.8.8.8
                                                                                                                                        Sep 15, 2021 11:06:29.245426893 CEST53634928.8.8.8192.168.2.3
                                                                                                                                        Sep 15, 2021 11:06:30.347157955 CEST6083153192.168.2.38.8.8.8
                                                                                                                                        Sep 15, 2021 11:06:30.377033949 CEST53608318.8.8.8192.168.2.3
                                                                                                                                        Sep 15, 2021 11:06:30.890995979 CEST6010053192.168.2.38.8.8.8
                                                                                                                                        Sep 15, 2021 11:06:30.918320894 CEST53601008.8.8.8192.168.2.3
                                                                                                                                        Sep 15, 2021 11:06:31.824090958 CEST5319553192.168.2.38.8.8.8
                                                                                                                                        Sep 15, 2021 11:06:31.856848001 CEST53531958.8.8.8192.168.2.3
                                                                                                                                        Sep 15, 2021 11:06:33.262025118 CEST5014153192.168.2.38.8.8.8
                                                                                                                                        Sep 15, 2021 11:06:33.293486118 CEST53501418.8.8.8192.168.2.3
                                                                                                                                        Sep 15, 2021 11:06:34.585237980 CEST5302353192.168.2.38.8.8.8
                                                                                                                                        Sep 15, 2021 11:06:34.614674091 CEST53530238.8.8.8192.168.2.3
                                                                                                                                        Sep 15, 2021 11:06:35.317593098 CEST4956353192.168.2.38.8.8.8
                                                                                                                                        Sep 15, 2021 11:06:35.347192049 CEST53495638.8.8.8192.168.2.3
                                                                                                                                        Sep 15, 2021 11:06:41.880130053 CEST5135253192.168.2.38.8.8.8
                                                                                                                                        Sep 15, 2021 11:06:41.911132097 CEST53513528.8.8.8192.168.2.3
                                                                                                                                        Sep 15, 2021 11:07:12.962673903 CEST5934953192.168.2.38.8.8.8
                                                                                                                                        Sep 15, 2021 11:07:13.005645037 CEST53593498.8.8.8192.168.2.3
                                                                                                                                        Sep 15, 2021 11:07:15.145039082 CEST5708453192.168.2.38.8.8.8
                                                                                                                                        Sep 15, 2021 11:07:15.179986000 CEST53570848.8.8.8192.168.2.3
                                                                                                                                        Sep 15, 2021 11:07:24.976735115 CEST5882353192.168.2.38.8.8.8
                                                                                                                                        Sep 15, 2021 11:07:25.005244970 CEST53588238.8.8.8192.168.2.3

                                                                                                                                        DNS Queries

                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                        Sep 15, 2021 11:07:24.976735115 CEST192.168.2.38.8.8.80x76caStandard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)

                                                                                                                                        DNS Answers

                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                        Sep 15, 2021 11:07:25.005244970 CEST8.8.8.8192.168.2.30x76caNo error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)
                                                                                                                                        Sep 15, 2021 11:07:25.005244970 CEST8.8.8.8192.168.2.30x76caNo error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)
                                                                                                                                        Sep 15, 2021 11:07:25.005244970 CEST8.8.8.8192.168.2.30x76caNo error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)
                                                                                                                                        Sep 15, 2021 11:07:25.005244970 CEST8.8.8.8192.168.2.30x76caNo error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)

                                                                                                                                        SMTP Packets

                                                                                                                                        TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                                                        Sep 15, 2021 11:07:25.390908003 CEST58749818208.91.199.225192.168.2.3220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                                                                        Sep 15, 2021 11:07:25.391247988 CEST49818587192.168.2.3208.91.199.225EHLO 358075
                                                                                                                                        Sep 15, 2021 11:07:25.541528940 CEST58749818208.91.199.225192.168.2.3250-us2.outbound.mailhostbox.com
                                                                                                                                        250-PIPELINING
                                                                                                                                        250-SIZE 41648128
                                                                                                                                        250-VRFY
                                                                                                                                        250-ETRN
                                                                                                                                        250-STARTTLS
                                                                                                                                        250-AUTH PLAIN LOGIN
                                                                                                                                        250-AUTH=PLAIN LOGIN
                                                                                                                                        250-ENHANCEDSTATUSCODES
                                                                                                                                        250-8BITMIME
                                                                                                                                        250 DSN
                                                                                                                                        Sep 15, 2021 11:07:25.541909933 CEST49818587192.168.2.3208.91.199.225STARTTLS
                                                                                                                                        Sep 15, 2021 11:07:25.691804886 CEST58749818208.91.199.225192.168.2.3220 2.0.0 Ready to start TLS

                                                                                                                                        Code Manipulations

                                                                                                                                        Statistics

                                                                                                                                        Behavior

                                                                                                                                        Click to jump to process

                                                                                                                                        System Behavior

                                                                                                                                        General

                                                                                                                                        Start time:11:05:38
                                                                                                                                        Start date:15/09/2021
                                                                                                                                        Path:C:\Users\user\Desktop\HSBc20210216B1.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:'C:\Users\user\Desktop\HSBc20210216B1.exe'
                                                                                                                                        Imagebase:0xd60000
                                                                                                                                        File size:673280 bytes
                                                                                                                                        MD5 hash:CED0F1B2AFD1D48ECB5DC8A563C836C9
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                                                        Yara matches:
                                                                                                                                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.249871977.0000000003061000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.251226749.0000000004069000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.251226749.0000000004069000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.252492077.00000000042C5000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.252492077.00000000042C5000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                        Reputation:low

                                                                                                                                        General

                                                                                                                                        Start time:11:05:49
                                                                                                                                        Start date:15/09/2021
                                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                        Imagebase:0x480000
                                                                                                                                        File size:45152 bytes
                                                                                                                                        MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                                                        Yara matches:
                                                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.490503848.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.490503848.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.494922031.00000000026E1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.494922031.00000000026E1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                        Reputation:high

                                                                                                                                        General

                                                                                                                                        Start time:11:06:19
                                                                                                                                        Start date:15/09/2021
                                                                                                                                        Path:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                                                                                                                                        Imagebase:0xa90000
                                                                                                                                        File size:45152 bytes
                                                                                                                                        MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                                                        Antivirus matches:
                                                                                                                                        • Detection: 0%, Metadefender, Browse
                                                                                                                                        • Detection: 0%, ReversingLabs
                                                                                                                                        Reputation:high

                                                                                                                                        General

                                                                                                                                        Start time:11:06:19
                                                                                                                                        Start date:15/09/2021
                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                        Imagebase:0x7ff6b2800000
                                                                                                                                        File size:625664 bytes
                                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high

                                                                                                                                        General

                                                                                                                                        Start time:11:06:27
                                                                                                                                        Start date:15/09/2021
                                                                                                                                        Path:C:\Users\user\AppData\Roaming\NXLun\NXLun.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                                                                                                                                        Imagebase:0xc50000
                                                                                                                                        File size:45152 bytes
                                                                                                                                        MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                                                        Reputation:high

                                                                                                                                        General

                                                                                                                                        Start time:11:06:27
                                                                                                                                        Start date:15/09/2021
                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                        Imagebase:0x7ff6b2800000
                                                                                                                                        File size:625664 bytes
                                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high

                                                                                                                                        Disassembly

                                                                                                                                        Code Analysis

                                                                                                                                        Reset < >