Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report macdonzx.exe

Overview

General Information

Sample Name:macdonzx.exe
Analysis ID:552884
MD5:e1cdd88e54fde674768d48d248cb24ce
SHA1:facde9af9ce38ca5c0c30f343dfa525a9931a57d
SHA256:734acbd591b35c3ab42e36ed5b97712ff3d1935a756d9158dbb1fcbaf8b5c1d6
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Antivirus detection for URL or domain
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • macdonzx.exe (PID: 5652 cmdline: "C:\Users\user\Desktop\macdonzx.exe" MD5: E1CDD88E54FDE674768D48D248CB24CE)
    • macdonzx.exe (PID: 2056 cmdline: C:\Users\user\Desktop\macdonzx.exe MD5: E1CDD88E54FDE674768D48D248CB24CE)
    • macdonzx.exe (PID: 756 cmdline: C:\Users\user\Desktop\macdonzx.exe MD5: E1CDD88E54FDE674768D48D248CB24CE)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "macdonlog@milax.tk", "Password": "7213575aceACE@#$", "Host": "milax.tk"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000000.322102466.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000D.00000000.322102466.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      0000000D.00000002.551245127.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000D.00000002.551245127.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          0000000D.00000000.321599749.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.macdonzx.exe.36f3980.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              2.2.macdonzx.exe.36f3980.5.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                2.2.macdonzx.exe.26bf800.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                  13.0.macdonzx.exe.400000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    13.0.macdonzx.exe.400000.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                      Click to see the 18 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 13.0.macdonzx.exe.400000.6.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "macdonlog@milax.tk", "Password": "7213575aceACE@#$", "Host": "milax.tk"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: macdonzx.exeVirustotal: Detection: 44%Perma Link
                      Source: macdonzx.exeReversingLabs: Detection: 46%
                      Antivirus detection for URL or domainShow sources
                      Source: http://milax.tkAvira URL Cloud: Label: malware
                      Machine Learning detection for sampleShow sources
                      Source: macdonzx.exeJoe Sandbox ML: detected
                      Source: 13.0.macdonzx.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 13.0.macdonzx.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 13.0.macdonzx.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                      Source: 13.0.macdonzx.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                      Source: 13.0.macdonzx.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                      Source: 13.2.macdonzx.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: macdonzx.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: macdonzx.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 4x nop then jmp 06E49A39h
                      Source: Joe Sandbox ViewASN Name: ON-LINE-DATAServerlocation-NetherlandsDrontenNL ON-LINE-DATAServerlocation-NetherlandsDrontenNL
                      Source: Joe Sandbox ViewIP Address: 45.147.197.20 45.147.197.20
                      Source: Joe Sandbox ViewIP Address: 45.147.197.20 45.147.197.20
                      Source: global trafficTCP traffic: 192.168.2.3:49840 -> 45.147.197.20:587
                      Source: global trafficTCP traffic: 192.168.2.3:49840 -> 45.147.197.20:587
                      Source: macdonzx.exe, 0000000D.00000002.562575155.0000000002C11000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: macdonzx.exe, 0000000D.00000002.562575155.0000000002C11000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: macdonzx.exe, 0000000D.00000002.562575155.0000000002C11000.00000004.00000001.sdmpString found in binary or memory: http://ajXUgt.com
                      Source: macdonzx.exe, 00000002.00000003.287613879.0000000005593000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.287653253.0000000005594000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: macdonzx.exe, 0000000D.00000002.562986435.0000000002F7E000.00000004.00000001.sdmp, macdonzx.exe, 0000000D.00000002.563057469.0000000002F9C000.00000004.00000001.sdmpString found in binary or memory: http://milax.tk
                      Source: macdonzx.exe, 00000002.00000003.292164994.0000000005595000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.292388895.0000000005596000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: macdonzx.exe, 00000002.00000003.292388895.0000000005596000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: macdonzx.exe, 00000002.00000003.292610640.000000000559F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comF
                      Source: macdonzx.exe, 00000002.00000003.292610640.000000000559F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comZ
                      Source: macdonzx.exe, 00000002.00000003.292610640.000000000559F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coma
                      Source: macdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: macdonzx.exe, 00000002.00000003.292610640.000000000559F000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.292388895.0000000005596000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
                      Source: macdonzx.exe, 00000002.00000003.292610640.000000000559F000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.292388895.0000000005596000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comsof
                      Source: macdonzx.exe, 00000002.00000003.292610640.000000000559F000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comue
                      Source: macdonzx.exe, 00000002.00000002.328626139.0000000005590000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.323611288.0000000005590000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: macdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: macdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: macdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: macdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: macdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: macdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: macdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: macdonzx.exe, 00000002.00000003.300863910.0000000005596000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comI
                      Source: macdonzx.exe, 00000002.00000002.328626139.0000000005590000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.323611288.0000000005590000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
                      Source: macdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: macdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: macdonzx.exe, 00000002.00000003.291263909.0000000005597000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.291337892.000000000559B000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.291181096.0000000005595000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                      Source: macdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: macdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: macdonzx.exe, 00000002.00000003.291001388.00000000055CD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cntan-
                      Source: macdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: macdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: macdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: macdonzx.exe, 00000002.00000003.289726643.0000000005593000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr.TTF
                      Source: macdonzx.exe, 00000002.00000003.289726643.0000000005593000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krQ
                      Source: macdonzx.exe, 00000002.00000003.296160254.000000000559E000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.294200965.000000000559A000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.293371788.000000000559A000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.294244711.000000000559A000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: macdonzx.exe, 00000002.00000003.294200965.000000000559A000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.294244711.000000000559A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/&
                      Source: macdonzx.exe, 00000002.00000003.294200965.000000000559A000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.293371788.000000000559A000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.294244711.000000000559A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/4
                      Source: macdonzx.exe, 00000002.00000003.294244711.000000000559A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/H
                      Source: macdonzx.exe, 00000002.00000003.294200965.000000000559A000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.294244711.000000000559A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/I
                      Source: macdonzx.exe, 00000002.00000003.294200965.000000000559A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Q
                      Source: macdonzx.exe, 00000002.00000003.294244711.000000000559A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Z
                      Source: macdonzx.exe, 00000002.00000003.293371788.000000000559A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-e
                      Source: macdonzx.exe, 00000002.00000003.294200965.000000000559A000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.293371788.000000000559A000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.294244711.000000000559A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/g
                      Source: macdonzx.exe, 00000002.00000003.294200965.000000000559A000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.294244711.000000000559A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: macdonzx.exe, 00000002.00000003.294244711.000000000559A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Q
                      Source: macdonzx.exe, 00000002.00000003.294200965.000000000559A000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.294244711.000000000559A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s
                      Source: macdonzx.exe, 00000002.00000003.294200965.000000000559A000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.294244711.000000000559A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s-cu
                      Source: macdonzx.exe, 00000002.00000003.294200965.000000000559A000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.294244711.000000000559A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/soft
                      Source: macdonzx.exe, 00000002.00000003.286590293.00000000055AB000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: macdonzx.exe, 00000002.00000003.286590293.00000000055AB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comas
                      Source: macdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: macdonzx.exe, 00000002.00000003.289726643.0000000005593000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: macdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.291409252.0000000005592000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: macdonzx.exe, 00000002.00000003.291263909.0000000005597000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.compt-p
                      Source: macdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: macdonzx.exe, 00000002.00000003.287786995.0000000005594000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netZ.TTFi
                      Source: macdonzx.exe, 00000002.00000003.287786995.0000000005594000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.nete
                      Source: macdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: macdonzx.exe, 00000002.00000003.292164994.0000000005595000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.292388895.0000000005596000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: macdonzx.exe, 00000002.00000003.292164994.0000000005595000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.292388895.0000000005596000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnl
                      Source: macdonzx.exe, 00000002.00000003.292164994.0000000005595000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.292610640.000000000559F000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.292388895.0000000005596000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnn-uA
                      Source: macdonzx.exe, 00000002.00000003.292164994.0000000005595000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.292610640.000000000559F000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.292388895.0000000005596000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.W
                      Source: macdonzx.exe, 00000002.00000003.292164994.0000000005595000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.292388895.0000000005596000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnue
                      Source: macdonzx.exe, 0000000D.00000002.562971043.0000000002F78000.00000004.00000001.sdmpString found in binary or memory: https://Xd7k9rd8DlSNF.org
                      Source: macdonzx.exe, 0000000D.00000002.562575155.0000000002C11000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: macdonzx.exe, 0000000D.00000002.562575155.0000000002C11000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: macdonzx.exe, 00000002.00000002.325855720.0000000003699000.00000004.00000001.sdmp, macdonzx.exe, 0000000D.00000000.322102466.0000000000402000.00000040.00000001.sdmp, macdonzx.exe, 0000000D.00000000.321170477.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: macdonzx.exe, 0000000D.00000002.562575155.0000000002C11000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: milax.tk

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\macdonzx.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\macdonzx.exe
                      Source: C:\Users\user\Desktop\macdonzx.exeWindow created: window name: CLIPBRDWNDCLASS

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\macdonzx.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 13.0.macdonzx.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007bBF62D748u002dB14Eu002d43D7u002dA929u002d3F8C7CBBD523u007d/CF475656u002dAC8Fu002d4A75u002dA80Au002dC8F1D8674740.csLarge array initialization: .cctor: array initializer size 11989
                      Source: 13.0.macdonzx.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bBF62D748u002dB14Eu002d43D7u002dA929u002d3F8C7CBBD523u007d/CF475656u002dAC8Fu002d4A75u002dA80Au002dC8F1D8674740.csLarge array initialization: .cctor: array initializer size 11989
                      Source: 13.0.macdonzx.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007bBF62D748u002dB14Eu002d43D7u002dA929u002d3F8C7CBBD523u007d/CF475656u002dAC8Fu002d4A75u002dA80Au002dC8F1D8674740.csLarge array initialization: .cctor: array initializer size 11989
                      Source: macdonzx.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 2_2_00172050
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 2_2_0247C884
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 2_2_0247EC40
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 2_2_0247EC50
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 2_2_06E48D90
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 2_2_06E41C8D
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 2_2_06E48D8F
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 2_2_06E40040
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 2_2_06E4001E
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 12_2_00062050
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 13_2_00892050
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 13_2_00F0547C
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 13_2_00F025F8
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 13_2_00F0AA98
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 13_2_00F07B89
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 13_2_00F0AC33
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 13_2_00F07EC0
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 13_2_00F00720
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 13_2_00F16878
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 13_2_00F1E690
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 13_2_00F13670
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 13_2_00F15B18
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 13_2_012B47A0
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 13_2_012B3CCC
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 13_2_012B3E58
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 13_2_012B4773
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 13_2_012B4753
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 13_2_012B4790
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 13_2_012B5493
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 13_2_012BD830
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 13_2_012B3CC0
                      Source: macdonzx.exeBinary or memory string: OriginalFilename vs macdonzx.exe
                      Source: macdonzx.exe, 00000002.00000002.329634552.0000000006CC0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs macdonzx.exe
                      Source: macdonzx.exe, 00000002.00000000.283609494.0000000000172000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCustomAttributeEncodi.exe8 vs macdonzx.exe
                      Source: macdonzx.exe, 00000002.00000002.325855720.0000000003699000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameQPRLAEWBcagtHpbbhEylIhVYKAoTCzKdldI.exe4 vs macdonzx.exe
                      Source: macdonzx.exe, 00000002.00000002.325855720.0000000003699000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs macdonzx.exe
                      Source: macdonzx.exe, 00000002.00000002.325356794.0000000002691000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameQPRLAEWBcagtHpbbhEylIhVYKAoTCzKdldI.exe4 vs macdonzx.exe
                      Source: macdonzx.exeBinary or memory string: OriginalFilename vs macdonzx.exe
                      Source: macdonzx.exe, 0000000C.00000000.312885156.0000000000062000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCustomAttributeEncodi.exe8 vs macdonzx.exe
                      Source: macdonzx.exeBinary or memory string: OriginalFilename vs macdonzx.exe
                      Source: macdonzx.exe, 0000000D.00000000.322609757.0000000000892000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCustomAttributeEncodi.exe8 vs macdonzx.exe
                      Source: macdonzx.exe, 0000000D.00000000.322102466.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameQPRLAEWBcagtHpbbhEylIhVYKAoTCzKdldI.exe4 vs macdonzx.exe
                      Source: macdonzx.exe, 0000000D.00000003.532110155.000000000109D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameclr.dllT vs macdonzx.exe
                      Source: macdonzx.exe, 0000000D.00000002.554689058.0000000000CF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs macdonzx.exe
                      Source: macdonzx.exe, 0000000D.00000002.560788873.0000000001018000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs macdonzx.exe
                      Source: macdonzx.exe, 0000000D.00000002.561430446.0000000001086000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs macdonzx.exe
                      Source: macdonzx.exeBinary or memory string: OriginalFilenameCustomAttributeEncodi.exe8 vs macdonzx.exe
                      Source: macdonzx.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: macdonzx.exeVirustotal: Detection: 44%
                      Source: macdonzx.exeReversingLabs: Detection: 46%
                      Source: macdonzx.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\macdonzx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\macdonzx.exe "C:\Users\user\Desktop\macdonzx.exe"
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess created: C:\Users\user\Desktop\macdonzx.exe C:\Users\user\Desktop\macdonzx.exe
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess created: C:\Users\user\Desktop\macdonzx.exe C:\Users\user\Desktop\macdonzx.exe
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess created: C:\Users\user\Desktop\macdonzx.exe C:\Users\user\Desktop\macdonzx.exe
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess created: C:\Users\user\Desktop\macdonzx.exe C:\Users\user\Desktop\macdonzx.exe
                      Source: C:\Users\user\Desktop\macdonzx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: C:\Users\user\Desktop\macdonzx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\macdonzx.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\macdonzx.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\macdonzx.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\macdonzx.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@5/3@2/2
                      Source: C:\Users\user\Desktop\macdonzx.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\macdonzx.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: 13.0.macdonzx.exe.400000.6.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 13.0.macdonzx.exe.400000.6.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 13.0.macdonzx.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 13.0.macdonzx.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 13.0.macdonzx.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 13.0.macdonzx.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\macdonzx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\macdonzx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\macdonzx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\macdonzx.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\macdonzx.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: macdonzx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: macdonzx.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: macdonzx.exe, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 2.0.macdonzx.exe.170000.0.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 2.2.macdonzx.exe.170000.0.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 12.0.macdonzx.exe.60000.3.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 12.2.macdonzx.exe.60000.0.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 12.0.macdonzx.exe.60000.2.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 12.0.macdonzx.exe.60000.0.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 12.0.macdonzx.exe.60000.1.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 13.0.macdonzx.exe.890000.2.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 13.0.macdonzx.exe.890000.11.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 13.0.macdonzx.exe.890000.7.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 13.0.macdonzx.exe.890000.9.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 13.0.macdonzx.exe.890000.3.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 13.2.macdonzx.exe.890000.1.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 13.0.macdonzx.exe.890000.5.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      .NET source code contains method to dynamically call methods (often used by packers)Show sources
                      Source: macdonzx.exe, Display.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 2.0.macdonzx.exe.170000.0.unpack, Display.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 2.2.macdonzx.exe.170000.0.unpack, Display.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 12.0.macdonzx.exe.60000.3.unpack, Display.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 12.2.macdonzx.exe.60000.0.unpack, Display.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 12.0.macdonzx.exe.60000.2.unpack, Display.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 12.0.macdonzx.exe.60000.0.unpack, Display.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 12.0.macdonzx.exe.60000.1.unpack, Display.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 13.0.macdonzx.exe.890000.2.unpack, Display.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 13.0.macdonzx.exe.890000.11.unpack, Display.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 13.0.macdonzx.exe.890000.7.unpack, Display.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 13.0.macdonzx.exe.890000.9.unpack, Display.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 13.0.macdonzx.exe.890000.3.unpack, Display.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 13.2.macdonzx.exe.890000.1.unpack, Display.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: 13.0.macdonzx.exe.890000.5.unpack, Display.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 2_2_0017F75B push esp; iretd
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 2_2_02478292 push 7804B190h; ret
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 2_2_0247DE88 push esp; iretd
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 2_2_06E44E70 push ss; ret
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 2_2_06E45752 push es; retf
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 2_2_06E45C1D push es; iretd
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 2_2_06E45A91 push es; ret
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 2_2_06E459E1 push es; ret
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 12_2_0006F75B push esp; iretd
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 13_2_0089F75B push esp; iretd
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 13_2_00F1B55F push edi; retn 0000h
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 13_2_012BCF71 push esp; iretd
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.79486516147
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 2.2.macdonzx.exe.26bf800.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.macdonzx.exe.2706658.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.macdonzx.exe.26c780c.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.325356794.0000000002691000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.325423946.00000000026DC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: macdonzx.exe PID: 5652, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: macdonzx.exe, 00000002.00000002.325356794.0000000002691000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000002.325423946.00000000026DC000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: macdonzx.exe, 00000002.00000002.325356794.0000000002691000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000002.325423946.00000000026DC000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\macdonzx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\macdonzx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\macdonzx.exe TID: 2268Thread sleep time: -40873s >= -30000s
                      Source: C:\Users\user\Desktop\macdonzx.exe TID: 3940Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\macdonzx.exe TID: 5368Thread sleep time: -20291418481080494s >= -30000s
                      Source: C:\Users\user\Desktop\macdonzx.exe TID: 2132Thread sleep count: 3625 > 30
                      Source: C:\Users\user\Desktop\macdonzx.exe TID: 2132Thread sleep count: 6209 > 30
                      Source: C:\Users\user\Desktop\macdonzx.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\macdonzx.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\macdonzx.exeWindow / User API: threadDelayed 3625
                      Source: C:\Users\user\Desktop\macdonzx.exeWindow / User API: threadDelayed 6209
                      Source: C:\Users\user\Desktop\macdonzx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\macdonzx.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\macdonzx.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeThread delayed: delay time: 40873
                      Source: C:\Users\user\Desktop\macdonzx.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\macdonzx.exeThread delayed: delay time: 922337203685477
                      Source: macdonzx.exe, 00000002.00000002.325423946.00000000026DC000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: macdonzx.exe, 00000002.00000002.325423946.00000000026DC000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: macdonzx.exe, 00000002.00000002.325423946.00000000026DC000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: macdonzx.exe, 0000000D.00000002.561430446.0000000001086000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: macdonzx.exe, 00000002.00000002.325423946.00000000026DC000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\macdonzx.exeCode function: 13_2_00F0E1A0 LdrInitializeThunk,
                      Source: C:\Users\user\Desktop\macdonzx.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\macdonzx.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\macdonzx.exeMemory written: C:\Users\user\Desktop\macdonzx.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess created: C:\Users\user\Desktop\macdonzx.exe C:\Users\user\Desktop\macdonzx.exe
                      Source: C:\Users\user\Desktop\macdonzx.exeProcess created: C:\Users\user\Desktop\macdonzx.exe C:\Users\user\Desktop\macdonzx.exe
                      Source: macdonzx.exe, 0000000D.00000002.562396618.00000000016F0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: macdonzx.exe, 0000000D.00000002.562396618.00000000016F0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: macdonzx.exe, 0000000D.00000002.562396618.00000000016F0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: macdonzx.exe, 0000000D.00000002.562396618.00000000016F0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Users\user\Desktop\macdonzx.exe VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Users\user\Desktop\macdonzx.exe VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\macdonzx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\macdonzx.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 2.2.macdonzx.exe.36f3980.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.macdonzx.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.macdonzx.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.macdonzx.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.macdonzx.exe.3729ba0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.macdonzx.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.macdonzx.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.macdonzx.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.macdonzx.exe.3729ba0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.macdonzx.exe.36f3980.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000D.00000000.322102466.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.551245127.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000000.321599749.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000000.321170477.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000000.322547714.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.325855720.0000000003699000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.562575155.0000000002C11000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: macdonzx.exe PID: 5652, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: macdonzx.exe PID: 756, type: MEMORYSTR
                      Tries to steal Mail credentials (via file / registry access)Show sources
                      Source: C:\Users\user\Desktop\macdonzx.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\macdonzx.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\macdonzx.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Users\user\Desktop\macdonzx.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\macdonzx.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\Desktop\macdonzx.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Source: C:\Users\user\Desktop\macdonzx.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\macdonzx.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: C:\Users\user\Desktop\macdonzx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                      Source: C:\Users\user\Desktop\macdonzx.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: Yara matchFile source: 0000000D.00000002.562575155.0000000002C11000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: macdonzx.exe PID: 756, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 2.2.macdonzx.exe.36f3980.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.macdonzx.exe.400000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.macdonzx.exe.400000.12.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.macdonzx.exe.400000.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.macdonzx.exe.3729ba0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.macdonzx.exe.400000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.macdonzx.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.0.macdonzx.exe.400000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.macdonzx.exe.3729ba0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.macdonzx.exe.36f3980.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000D.00000000.322102466.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.551245127.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000000.321599749.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000000.321170477.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000000.322547714.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.325855720.0000000003699000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.562575155.0000000002C11000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: macdonzx.exe PID: 5652, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: macdonzx.exe PID: 756, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping2Security Software Discovery211Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsFile and Directory Permissions Modification1Input Capture11Process Discovery2Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Credentials in Registry1Virtualization/Sandbox Evasion131SMB/Windows Admin SharesArchive Collected Data11Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion131NTDSApplication Window Discovery1Distributed Component Object ModelData from Local System2Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection112LSA SecretsRemote System Discovery1SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Information Discovery114VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing23Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      macdonzx.exe45%VirustotalBrowse
                      macdonzx.exe46%ReversingLabsWin32.Trojan.Bulz
                      macdonzx.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      13.0.macdonzx.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                      13.0.macdonzx.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                      13.0.macdonzx.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                      13.0.macdonzx.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                      13.0.macdonzx.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                      13.2.macdonzx.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      milax.tk5%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.zhongyicts.com.cnue0%URL Reputationsafe
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                      http://www.sajatypeworks.comas0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/a-e0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/soft0%URL Reputationsafe
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr.TTF0%Avira URL Cloudsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.carterandcone.com0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://fontfabrik.com0%URL Reputationsafe
                      http://www.carterandcone.comF0%Avira URL Cloudsafe
                      http://www.zhongyicts.com.cnn-uA0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/40%URL Reputationsafe
                      http://www.carterandcone.comue0%URL Reputationsafe
                      http://www.goodfont.co.krQ0%Avira URL Cloudsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/Q0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.typography.netZ.TTFi0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/&0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.zhongyicts.com.cn0%URL Reputationsafe
                      http://www.carterandcone.como.0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://Xd7k9rd8DlSNF.org0%Avira URL Cloudsafe
                      http://www.carterandcone.coma0%URL Reputationsafe
                      http://www.fontbureau.comI0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/Z0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.typography.nete0%Avira URL Cloudsafe
                      http://www.carterandcone.comZ0%Avira URL Cloudsafe
                      http://www.carterandcone.comsof0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/Q0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://www.zhongyicts.com.cno.W0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/I0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/H0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                      http://www.tiro.compt-p0%Avira URL Cloudsafe
                      https://api.ipify.org%$0%Avira URL Cloudsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.zhongyicts.com.cnl0%Avira URL Cloudsafe
                      http://www.founder.com.cn/cn/0%URL Reputationsafe
                      http://www.founder.com.cn/cn0%URL Reputationsafe
                      http://www.founder.com.cn/cntan-0%Avira URL Cloudsafe
                      http://www.jiyu-kobo.co.jp/s0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://milax.tk100%Avira URL Cloudmalware
                      http://ajXUgt.com0%Avira URL Cloudsafe
                      http://www.fontbureau.como0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/g0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/s-cu0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      milax.tk
                      		45.147.197.20
                      		truetrueunknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.zhongyicts.com.cnuemacdonzx.exe, 00000002.00000003.292164994.0000000005595000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.292388895.0000000005596000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://127.0.0.1:HTTP/1.1macdonzx.exe, 0000000D.00000002.562575155.0000000002C11000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.fontbureau.com/designersGmacdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers/?macdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bThemacdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.sajatypeworks.comasmacdonzx.exe, 00000002.00000003.286590293.00000000055AB000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.jiyu-kobo.co.jp/a-emacdonzx.exe, 00000002.00000003.293371788.000000000559A000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers?macdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpfalse
                            		high
                            http://www.jiyu-kobo.co.jp/softmacdonzx.exe, 00000002.00000003.294200965.000000000559A000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.294244711.000000000559A000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.tiro.commacdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.291409252.0000000005592000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersmacdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpfalse
                              		high
                              http://www.goodfont.co.kr.TTFmacdonzx.exe, 00000002.00000003.289726643.0000000005593000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.goodfont.co.krmacdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.commacdonzx.exe, 00000002.00000003.292388895.0000000005596000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.sajatypeworks.commacdonzx.exe, 00000002.00000003.286590293.00000000055AB000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.typography.netDmacdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cn/cThemacdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmmacdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://fontfabrik.commacdonzx.exe, 00000002.00000003.287613879.0000000005593000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.287653253.0000000005594000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comFmacdonzx.exe, 00000002.00000003.292610640.000000000559F000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.zhongyicts.com.cnn-uAmacdonzx.exe, 00000002.00000003.292164994.0000000005595000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.292610640.000000000559F000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.292388895.0000000005596000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/4macdonzx.exe, 00000002.00000003.294200965.000000000559A000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.293371788.000000000559A000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.294244711.000000000559A000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comuemacdonzx.exe, 00000002.00000003.292610640.000000000559F000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.goodfont.co.krQmacdonzx.exe, 00000002.00000003.289726643.0000000005593000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.galapagosdesign.com/DPleasemacdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://api.ipify.org%GETMozilla/5.0macdonzx.exe, 0000000D.00000002.562575155.0000000002C11000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		low
                              http://www.jiyu-kobo.co.jp/jp/Qmacdonzx.exe, 00000002.00000003.294244711.000000000559A000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fonts.commacdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpfalse
                                		high
                                http://www.sandoll.co.krmacdonzx.exe, 00000002.00000003.289726643.0000000005593000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netZ.TTFimacdonzx.exe, 00000002.00000003.287786995.0000000005594000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/&macdonzx.exe, 00000002.00000003.294200965.000000000559A000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.294244711.000000000559A000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deDPleasemacdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.zhongyicts.com.cnmacdonzx.exe, 00000002.00000003.292164994.0000000005595000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.292388895.0000000005596000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.como.macdonzx.exe, 00000002.00000003.292610640.000000000559F000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.292388895.0000000005596000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sakkal.commacdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipmacdonzx.exe, 00000002.00000002.325855720.0000000003699000.00000004.00000001.sdmp, macdonzx.exe, 0000000D.00000000.322102466.0000000000402000.00000040.00000001.sdmp, macdonzx.exe, 0000000D.00000000.321170477.0000000000402000.00000040.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://Xd7k9rd8DlSNF.orgmacdonzx.exe, 0000000D.00000002.562971043.0000000002F78000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.carterandcone.comamacdonzx.exe, 00000002.00000003.292610640.000000000559F000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comImacdonzx.exe, 00000002.00000003.300863910.0000000005596000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.jiyu-kobo.co.jp/Zmacdonzx.exe, 00000002.00000003.294244711.000000000559A000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.apache.org/licenses/LICENSE-2.0macdonzx.exe, 00000002.00000003.292164994.0000000005595000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.292388895.0000000005596000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.fontbureau.commacdonzx.exe, 00000002.00000002.328626139.0000000005590000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.323611288.0000000005590000.00000004.00000001.sdmpfalse
                                    		high
                                    http://DynDns.comDynDNSmacdonzx.exe, 0000000D.00000002.562575155.0000000002C11000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.typography.netemacdonzx.exe, 00000002.00000003.287786995.0000000005594000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.carterandcone.comZmacdonzx.exe, 00000002.00000003.292610640.000000000559F000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.carterandcone.comsofmacdonzx.exe, 00000002.00000003.292610640.000000000559F000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.292388895.0000000005596000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/Qmacdonzx.exe, 00000002.00000003.294200965.000000000559A000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hamacdonzx.exe, 0000000D.00000002.562575155.0000000002C11000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cno.Wmacdonzx.exe, 00000002.00000003.292164994.0000000005595000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.292610640.000000000559F000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.292388895.0000000005596000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/Imacdonzx.exe, 00000002.00000003.294200965.000000000559A000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.294244711.000000000559A000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/Hmacdonzx.exe, 00000002.00000003.294244711.000000000559A000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.jiyu-kobo.co.jp/jp/macdonzx.exe, 00000002.00000003.294200965.000000000559A000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.294244711.000000000559A000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.tiro.compt-pmacdonzx.exe, 00000002.00000003.291263909.0000000005597000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://api.ipify.org%$macdonzx.exe, 0000000D.00000002.562575155.0000000002C11000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		low
                                    http://www.carterandcone.comlmacdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnlmacdonzx.exe, 00000002.00000003.292164994.0000000005595000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.292388895.0000000005596000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.founder.com.cn/cn/macdonzx.exe, 00000002.00000003.291263909.0000000005597000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.291337892.000000000559B000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.291181096.0000000005595000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/cabarga.htmlNmacdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cnmacdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cntan-macdonzx.exe, 00000002.00000003.291001388.00000000055CD000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/frere-jones.htmlmacdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.jiyu-kobo.co.jp/smacdonzx.exe, 00000002.00000003.294200965.000000000559A000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.294244711.000000000559A000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/macdonzx.exe, 00000002.00000003.296160254.000000000559E000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.294200965.000000000559A000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.293371788.000000000559A000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.294244711.000000000559A000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://milax.tkmacdonzx.exe, 0000000D.00000002.562986435.0000000002F7E000.00000004.00000001.sdmp, macdonzx.exe, 0000000D.00000002.563057469.0000000002F9C000.00000004.00000001.sdmptrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://ajXUgt.commacdonzx.exe, 0000000D.00000002.562575155.0000000002C11000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.comomacdonzx.exe, 00000002.00000002.328626139.0000000005590000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.323611288.0000000005590000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8macdonzx.exe, 00000002.00000002.328879520.00000000067A2000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.jiyu-kobo.co.jp/gmacdonzx.exe, 00000002.00000003.294200965.000000000559A000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.293371788.000000000559A000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.294244711.000000000559A000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.jiyu-kobo.co.jp/s-cumacdonzx.exe, 00000002.00000003.294200965.000000000559A000.00000004.00000001.sdmp, macdonzx.exe, 00000002.00000003.294244711.000000000559A000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown

                                          Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public

                                          IPDomainCountryFlagASNASN NameMalicious
                                          45.147.197.20
                                          		milax.tkUkraine
                                          		204601ON-LINE-DATAServerlocation-NetherlandsDrontenNLtrue

                                          Private

                                          IP
                                          192.168.2.1

                                          General Information

                                          Joe Sandbox Version:34.0.0 Boulder Opal
                                          Analysis ID:552884
                                          Start date:13.01.2022
                                          Start time:21:23:28
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 10m 8s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:macdonzx.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:28
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.adwa.spyw.evad.winEXE@5/3@2/2
                                          EGA Information:
                                          • Successful, ratio: 66.7%
                                          HDC Information:
                                          • Successful, ratio: 6.8% (good quality ratio 2.8%)
                                          • Quality average: 23.9%
                                          • Quality standard deviation: 34.1%
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe
                                          Warnings:
                                          Show All
                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                          • Execution Graph export aborted for target macdonzx.exe, PID 2056 because there are no executed function
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          21:24:34API Interceptor660x Sleep call for process: macdonzx.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          No context

                                          Domains

                                          No context

                                          ASN

                                          No context

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\macdonzx.exe.log
                                          Process:C:\Users\user\Desktop\macdonzx.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1310
                                          Entropy (8bit):5.345651901398759
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x847mE4P:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzQ
                                          MD5:A9EFF9253CAF99EC8665E41D736DDAED
                                          SHA1:D95BB4ABC856D774DA4602A59DE252B4BF560530
                                          SHA-256:DBC637B33F1F3CD1AB40AFED23F94C4571CA43621EBB52C5DC267DBDC52D4783
                                          SHA-512:96B67A84B750589BDB758224641065919F34BBF02BB286B9F5D566B48965A0E38FB88308B61351A6E11C46B76BFEC370FBC8B978A9F0F07A847567172D5CA5F3
                                          Malicious:true
                                          Reputation:moderate, very likely benign file
                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                          C:\Users\user\AppData\Roaming\0e3dvfqb.hnn\Chrome\Default\Cookies
                                          Process:C:\Users\user\Desktop\macdonzx.exe
                                          File Type:SQLite 3.x database, last written using SQLite version 3032001
                                          Category:modified
                                          Size (bytes):20480
                                          Entropy (8bit):0.6970840431455908
                                          Encrypted:false
                                          SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                          MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                          SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                          SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                          SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                          Malicious:false
                                          Reputation:high, very likely benign file
                                          Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                          C:\Windows\System32\drivers\etc\hosts
                                          Process:C:\Users\user\Desktop\macdonzx.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):835
                                          Entropy (8bit):4.694294591169137
                                          Encrypted:false
                                          SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
                                          MD5:6EB47C1CF858E25486E42440074917F2
                                          SHA1:6A63F93A95E1AE831C393A97158C526A4FA0FAAE
                                          SHA-256:9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
                                          SHA-512:08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
                                          Malicious:true
                                          Reputation:moderate, very likely benign file
                                          Preview: # Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.782856510786613
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:macdonzx.exe
                                          File size:474624
                                          MD5:e1cdd88e54fde674768d48d248cb24ce
                                          SHA1:facde9af9ce38ca5c0c30f343dfa525a9931a57d
                                          SHA256:734acbd591b35c3ab42e36ed5b97712ff3d1935a756d9158dbb1fcbaf8b5c1d6
                                          SHA512:155905cedfea51ee8682d2a5a733c4595bd164afd7ed52fb5b8fe2d909cd2df6d8c6cc3eb05af463d49bbe0da495722002bc7e5f552487bf617d948589b45929
                                          SSDEEP:12288:sK777777777777OPHfTjKqhQQRvS7+mFNE:sK777777777777OPSqhQE6/
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....~.a..............0..4..........~S... ...`....@.. ....................................@................................

                                          File Icon

                                          Icon Hash:00828e8e8686b000

                                          Static PE Info

                                          General

                                          Entrypoint:0x47537e
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                          Time Stamp:0x61E07E06 [Thu Jan 13 19:31:18 2022 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:v4.0.30319
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x7532c0x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x760000x5e4.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x780000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000x733840x73400False0.897081751627data7.79486516147IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rsrc0x760000x5e40x600False0.4296875data4.16698632714IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x780000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_VERSION0x760900x354data
                                          RT_MANIFEST0x763f40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Version Infos

                                          DescriptionData
                                          Translation0x0000 0x04b0
                                          LegalCopyrightCopyright 2015
                                          Assembly Version1.0.0.0
                                          InternalNameCustomAttributeEncodi.exe
                                          FileVersion1.0.0.0
                                          CompanyName
                                          LegalTrademarks
                                          Comments
                                          ProductNameram machine
                                          ProductVersion1.0.0.0
                                          FileDescriptionram machine
                                          OriginalFilenameCustomAttributeEncodi.exe

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jan 13, 2022 21:26:21.168365002 CET49840587192.168.2.345.147.197.20
                                          Jan 13, 2022 21:26:21.193383932 CET5874984045.147.197.20192.168.2.3
                                          Jan 13, 2022 21:26:21.193547010 CET49840587192.168.2.345.147.197.20
                                          Jan 13, 2022 21:26:21.254138947 CET5874984045.147.197.20192.168.2.3
                                          Jan 13, 2022 21:26:21.254787922 CET49840587192.168.2.345.147.197.20
                                          Jan 13, 2022 21:26:21.281109095 CET5874984045.147.197.20192.168.2.3
                                          Jan 13, 2022 21:26:21.282515049 CET49840587192.168.2.345.147.197.20
                                          Jan 13, 2022 21:26:21.308669090 CET5874984045.147.197.20192.168.2.3
                                          Jan 13, 2022 21:26:21.309634924 CET49840587192.168.2.345.147.197.20
                                          Jan 13, 2022 21:26:21.335298061 CET5874984045.147.197.20192.168.2.3
                                          Jan 13, 2022 21:26:21.337088108 CET49840587192.168.2.345.147.197.20
                                          Jan 13, 2022 21:26:21.362592936 CET5874984045.147.197.20192.168.2.3
                                          Jan 13, 2022 21:26:21.363178015 CET49840587192.168.2.345.147.197.20
                                          Jan 13, 2022 21:26:21.406872988 CET5874984045.147.197.20192.168.2.3
                                          Jan 13, 2022 21:26:21.411026001 CET49840587192.168.2.345.147.197.20
                                          Jan 13, 2022 21:26:21.436141968 CET5874984045.147.197.20192.168.2.3
                                          Jan 13, 2022 21:26:21.436235905 CET49840587192.168.2.345.147.197.20
                                          Jan 13, 2022 21:26:21.437705040 CET5874984045.147.197.20192.168.2.3
                                          Jan 13, 2022 21:26:21.437783957 CET49840587192.168.2.345.147.197.20
                                          Jan 13, 2022 21:26:23.066416025 CET49841587192.168.2.345.147.197.20
                                          Jan 13, 2022 21:26:23.092974901 CET5874984145.147.197.20192.168.2.3
                                          Jan 13, 2022 21:26:23.093076944 CET49841587192.168.2.345.147.197.20
                                          Jan 13, 2022 21:26:23.147528887 CET5874984145.147.197.20192.168.2.3
                                          Jan 13, 2022 21:26:23.147855043 CET49841587192.168.2.345.147.197.20
                                          Jan 13, 2022 21:26:23.174637079 CET5874984145.147.197.20192.168.2.3
                                          Jan 13, 2022 21:26:23.174928904 CET49841587192.168.2.345.147.197.20
                                          Jan 13, 2022 21:26:23.202395916 CET5874984145.147.197.20192.168.2.3
                                          Jan 13, 2022 21:26:23.203222036 CET49841587192.168.2.345.147.197.20
                                          Jan 13, 2022 21:26:23.230205059 CET5874984145.147.197.20192.168.2.3
                                          Jan 13, 2022 21:26:23.231792927 CET49841587192.168.2.345.147.197.20
                                          Jan 13, 2022 21:26:23.258584976 CET5874984145.147.197.20192.168.2.3
                                          Jan 13, 2022 21:26:23.258799076 CET49841587192.168.2.345.147.197.20
                                          Jan 13, 2022 21:26:23.305896044 CET5874984145.147.197.20192.168.2.3
                                          Jan 13, 2022 21:26:23.306318998 CET49841587192.168.2.345.147.197.20
                                          Jan 13, 2022 21:26:23.332994938 CET5874984145.147.197.20192.168.2.3
                                          Jan 13, 2022 21:26:23.333137035 CET49841587192.168.2.345.147.197.20
                                          Jan 13, 2022 21:26:23.333803892 CET5874984145.147.197.20192.168.2.3
                                          Jan 13, 2022 21:26:23.335979939 CET49841587192.168.2.345.147.197.20

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jan 13, 2022 21:26:21.000920057 CET6082353192.168.2.38.8.8.8
                                          Jan 13, 2022 21:26:21.035761118 CET53608238.8.8.8192.168.2.3
                                          Jan 13, 2022 21:26:23.028445959 CET5213053192.168.2.38.8.8.8
                                          Jan 13, 2022 21:26:23.062062025 CET53521308.8.8.8192.168.2.3

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          Jan 13, 2022 21:26:21.000920057 CET192.168.2.38.8.8.80x5fd4Standard query (0)milax.tkA (IP address)IN (0x0001)
                                          Jan 13, 2022 21:26:23.028445959 CET192.168.2.38.8.8.80x317bStandard query (0)milax.tkA (IP address)IN (0x0001)

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          Jan 13, 2022 21:26:21.035761118 CET8.8.8.8192.168.2.30x5fd4No error (0)milax.tk45.147.197.20A (IP address)IN (0x0001)
                                          Jan 13, 2022 21:26:23.062062025 CET8.8.8.8192.168.2.30x317bNo error (0)milax.tk45.147.197.20A (IP address)IN (0x0001)

                                          SMTP Packets

                                          TimestampSource PortDest PortSource IPDest IPCommands
                                          Jan 13, 2022 21:26:21.254138947 CET5874984045.147.197.20192.168.2.3220 s20.server-panel.net ESMTP Exim 4.92.2 Thu, 13 Jan 2022 22:26:21 +0200
                                          Jan 13, 2022 21:26:21.254787922 CET49840587192.168.2.345.147.197.20EHLO 210979
                                          Jan 13, 2022 21:26:21.281109095 CET5874984045.147.197.20192.168.2.3250-s20.server-panel.net Hello 210979 [84.17.52.18]
                                          250-SIZE 52428800
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-AUTH PLAIN LOGIN CRAM-MD5
                                          250-CHUNKING
                                          250-STARTTLS
                                          250 HELP
                                          Jan 13, 2022 21:26:21.282515049 CET49840587192.168.2.345.147.197.20AUTH login bWFjZG9ubG9nQG1pbGF4LnRr
                                          Jan 13, 2022 21:26:21.308669090 CET5874984045.147.197.20192.168.2.3334 UGFzc3dvcmQ6
                                          Jan 13, 2022 21:26:21.335298061 CET5874984045.147.197.20192.168.2.3235 Authentication succeeded
                                          Jan 13, 2022 21:26:21.337088108 CET49840587192.168.2.345.147.197.20MAIL FROM:<macdonlog@milax.tk>
                                          Jan 13, 2022 21:26:21.362592936 CET5874984045.147.197.20192.168.2.3250 OK
                                          Jan 13, 2022 21:26:21.363178015 CET49840587192.168.2.345.147.197.20RCPT TO:<macdon@milax.tk>
                                          Jan 13, 2022 21:26:21.406872988 CET5874984045.147.197.20192.168.2.3550 Sender rate overlimit - 35.4 / 1h / macdonlog@milax.tk
                                          Jan 13, 2022 21:26:21.436141968 CET5874984045.147.197.20192.168.2.3421 s20.server-panel.net lost input connection
                                          Jan 13, 2022 21:26:23.147528887 CET5874984145.147.197.20192.168.2.3220 s20.server-panel.net ESMTP Exim 4.92.2 Thu, 13 Jan 2022 22:26:23 +0200
                                          Jan 13, 2022 21:26:23.147855043 CET49841587192.168.2.345.147.197.20EHLO 210979
                                          Jan 13, 2022 21:26:23.174637079 CET5874984145.147.197.20192.168.2.3250-s20.server-panel.net Hello 210979 [84.17.52.18]
                                          250-SIZE 52428800
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-AUTH PLAIN LOGIN CRAM-MD5
                                          250-CHUNKING
                                          250-STARTTLS
                                          250 HELP
                                          Jan 13, 2022 21:26:23.174928904 CET49841587192.168.2.345.147.197.20AUTH login bWFjZG9ubG9nQG1pbGF4LnRr
                                          Jan 13, 2022 21:26:23.202395916 CET5874984145.147.197.20192.168.2.3334 UGFzc3dvcmQ6
                                          Jan 13, 2022 21:26:23.230205059 CET5874984145.147.197.20192.168.2.3235 Authentication succeeded
                                          Jan 13, 2022 21:26:23.231792927 CET49841587192.168.2.345.147.197.20MAIL FROM:<macdonlog@milax.tk>
                                          Jan 13, 2022 21:26:23.258584976 CET5874984145.147.197.20192.168.2.3250 OK
                                          Jan 13, 2022 21:26:23.258799076 CET49841587192.168.2.345.147.197.20RCPT TO:<macdon@milax.tk>
                                          Jan 13, 2022 21:26:23.305896044 CET5874984145.147.197.20192.168.2.3550 Sender rate overlimit - 36.3 / 1h / macdonlog@milax.tk
                                          Jan 13, 2022 21:26:23.332994938 CET5874984145.147.197.20192.168.2.3421 s20.server-panel.net lost input connection

                                          Code Manipulations

                                          Statistics

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          Analysis Process: macdonzx.exe PID: 5652 Parent PID: 244

                                          General

                                          Start time:21:24:22
                                          Start date:13/01/2022
                                          Path:C:\Users\user\Desktop\macdonzx.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\macdonzx.exe"
                                          Imagebase:0x170000
                                          File size:474624 bytes
                                          MD5 hash:E1CDD88E54FDE674768D48D248CB24CE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000002.00000002.325356794.0000000002691000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000002.00000002.325423946.00000000026DC000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.325855720.0000000003699000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.325855720.0000000003699000.00000004.00000001.sdmp, Author: Joe Security
                                          Reputation:low

                                          Analysis Process: macdonzx.exe PID: 2056 Parent PID: 5652

                                          General

                                          Start time:21:24:35
                                          Start date:13/01/2022
                                          Path:C:\Users\user\Desktop\macdonzx.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Users\user\Desktop\macdonzx.exe
                                          Imagebase:0x60000
                                          File size:474624 bytes
                                          MD5 hash:E1CDD88E54FDE674768D48D248CB24CE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low

                                          Analysis Process: macdonzx.exe PID: 756 Parent PID: 5652

                                          General

                                          Start time:21:24:36
                                          Start date:13/01/2022
                                          Path:C:\Users\user\Desktop\macdonzx.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\Desktop\macdonzx.exe
                                          Imagebase:0x890000
                                          File size:474624 bytes
                                          MD5 hash:E1CDD88E54FDE674768D48D248CB24CE
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000000.322102466.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000D.00000000.322102466.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.551245127.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000D.00000002.551245127.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000000.321599749.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000D.00000000.321599749.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000000.321170477.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000D.00000000.321170477.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000000.322547714.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 0000000D.00000000.322547714.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.562575155.0000000002C11000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.562575155.0000000002C11000.00000004.00000001.sdmp, Author: Joe Security
                                          Reputation:low

                                          Disassembly

                                          Code Analysis

                                          Reset < >