Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xgnxoS8HWxonNHl.exe

Overview

General Information

Sample Name:xgnxoS8HWxonNHl.exe
Analysis ID:612101
MD5:56e4a7420f9a9fa987aba56b6f91fbcb
SHA1:31595356f127256829e137be2c28ab6f4788e76e
SHA256:12811d59e069011b7a1249365e515c8b63f21dd480cd955e2ec027aa2e3b80d8
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains very large array initializations
PE file has nameless sections
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
PE file contains section with special chars
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • xgnxoS8HWxonNHl.exe (PID: 6420 cmdline: "C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe" MD5: 56E4A7420F9A9FA987ABA56B6F91FBCB)
    • xgnxoS8HWxonNHl.exe (PID: 6736 cmdline: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe MD5: 56E4A7420F9A9FA987ABA56B6F91FBCB)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "umut@ormretsan.com", "Password": "AGjluYt1", "Host": "smtp.ormretsan.com"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000000.410042576.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000000.410042576.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000000.00000002.417603219.00000000041EC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.417603219.00000000041EC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000003.00000000.409181519.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.xgnxoS8HWxonNHl.exe.422f518.9.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.xgnxoS8HWxonNHl.exe.422f518.9.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.xgnxoS8HWxonNHl.exe.422f518.9.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x2edfe:$s1: get_kbok
                • 0x2f741:$s2: get_CHoo
                • 0x3037b:$s3: set_passwordIsSet
                • 0x2ec02:$s4: get_enableLog
                • 0x33276:$s8: torbrowser
                • 0x31c52:$s10: logins
                • 0x315ca:$s11: credential
                • 0x2e023:$g1: get_Clipboard
                • 0x2e031:$g2: get_Keyboard
                • 0x2e03e:$g3: get_Password
                • 0x2f5e0:$g4: get_CtrlKeyDown
                • 0x2f5f0:$g5: get_ShiftKeyDown
                • 0x2f601:$g6: get_AltKeyDown
                3.2.xgnxoS8HWxonNHl.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  3.2.xgnxoS8HWxonNHl.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 28 entries

                    Sigma Signatures

                    There are no malicious signatures, click here to show all signatures.

                    Source: Process startedAuthor: frack113: Data: Command: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe, CommandLine: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe, NewProcessName: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe, OriginalFileName: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe, ParentCommandLine: "C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe" , ParentImage: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe, ParentProcessId: 6420, ParentProcessName: xgnxoS8HWxonNHl.exe, ProcessCommandLine: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe, ProcessId: 6736, ProcessName: xgnxoS8HWxonNHl.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.12.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "umut@ormretsan.com", "Password": "AGjluYt1", "Host": "smtp.ormretsan.com"}
                    Multi AV Scanner detection for submitted file
                    Source: xgnxoS8HWxonNHl.exeReversingLabs: Detection: 24%
                    Machine Learning detection for sample
                    Source: xgnxoS8HWxonNHl.exeJoe Sandbox ML: detected
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 3.2.xgnxoS8HWxonNHl.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: xgnxoS8HWxonNHl.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: xgnxoS8HWxonNHl.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
                    Source: xgnxoS8HWxonNHl.exe, 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: xgnxoS8HWxonNHl.exe, 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ATRZqY.com
                    Source: xgnxoS8HWxonNHl.exe, 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNS
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.373157693.0000000007A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comi)
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.372641423.0000000007A8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comily)
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.372641423.0000000007A8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.378171280.0000000007A85000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.376637617.0000000007AB8000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.384487951.0000000007ABB000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.376696263.0000000007AB8000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.375942088.0000000007ABB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.376510155.0000000007AB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers%
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.377363480.0000000007A85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.377016385.0000000007AB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.376447774.0000000007AB8000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.375942088.0000000007ABB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersB
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.376447774.0000000007AB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.377813742.0000000007AB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersY
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.384487951.0000000007ABB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersc
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.377813742.0000000007AB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designerss
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.376069831.0000000007ABB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersv
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.376341670.0000000007A85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/i
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.378171280.0000000007A85000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.377363480.0000000007A85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com4
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.378171280.0000000007A85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.411742228.0000000007A80000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000002.419351318.0000000007A80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.378171280.0000000007A85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalsS?
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.376341670.0000000007A85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comasF
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.377363480.0000000007A85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcomd
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.378171280.0000000007A85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.377363480.0000000007A85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd~
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.378171280.0000000007A85000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comessed
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.411742228.0000000007A80000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000002.419351318.0000000007A80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comldTFM
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.371387468.0000000007ABE000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.371615251.0000000007ABD000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.371351820.0000000007ABD000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.371440220.0000000007ABD000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.371503172.0000000007ABD000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.371366282.0000000007A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.371988138.0000000007A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.371366282.0000000007A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnttp
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.379889262.0000000007AB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.379889262.0000000007AB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/3
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.379946625.0000000007AB3000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.379889262.0000000007AB3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.368156883.0000000007A82000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.368566801.0000000007A83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.368566801.0000000007A83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comC
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.368566801.0000000007A83000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comX
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.368156883.0000000007A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comurs
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.368156883.0000000007A82000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.comz
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.373879871.0000000007ABB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.372072274.0000000007A84000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.372094133.0000000007A8D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000003.372478173.0000000007A8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cna
                    Source: xgnxoS8HWxonNHl.exe, 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.417603219.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000003.00000000.410042576.0000000000402000.00000040.00000400.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000003.00000000.407935315.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                    Source: xgnxoS8HWxonNHl.exe, 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                    Source: unknownDNS traffic detected: queries for: smtp.ormretsan.com
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.412423872.00000000009D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.xgnxoS8HWxonNHl.exe.422f518.9.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 3.2.xgnxoS8HWxonNHl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.xgnxoS8HWxonNHl.exe.4265338.10.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.xgnxoS8HWxonNHl.exe.4265338.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.xgnxoS8HWxonNHl.exe.422f518.9.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.xgnxoS8HWxonNHl.exe.41ec0f8.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: Process Memory Space: xgnxoS8HWxonNHl.exe PID: 6736, type: MEMORYSTRMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b373E7CD5u002d9659u002d43C8u002d8AADu002d068512C7055Eu007d/D11C88A7u002d4F14u002d4DD5u002d9314u002d3310C843C7AD.csLarge array initialization: .cctor: array initializer size 11949
                    PE file has nameless sections
                    Source: xgnxoS8HWxonNHl.exeStatic PE information: section name:
                    PE file contains section with special chars
                    Source: xgnxoS8HWxonNHl.exeStatic PE information: section name: =hsS2-
                    Source: xgnxoS8HWxonNHl.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 0.2.xgnxoS8HWxonNHl.exe.422f518.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 3.2.xgnxoS8HWxonNHl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.xgnxoS8HWxonNHl.exe.4265338.10.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.xgnxoS8HWxonNHl.exe.4265338.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.xgnxoS8HWxonNHl.exe.422f518.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.xgnxoS8HWxonNHl.exe.41ec0f8.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: Process Memory Space: xgnxoS8HWxonNHl.exe PID: 6736, type: MEMORYSTRMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B82380
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B834A8
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B8A470
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B80472
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B81847
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B82B4A
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B82FB8
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B851B8
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B851C8
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B822E1
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B86620
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B86610
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B86898
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B86888
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B85D38
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B85D29
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_04BC342C
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_04BC5470
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_04BC5460
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 3_2_013946A0
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 3_2_0139461F
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 3_2_0139D980
                    Source: xgnxoS8HWxonNHl.exeBinary or memory string: OriginalFilename vs xgnxoS8HWxonNHl.exe
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.412423872.00000000009D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs xgnxoS8HWxonNHl.exe
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.417769097.00000000045A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs xgnxoS8HWxonNHl.exe
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.417603219.00000000041EC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDTuNaZxjHfMwnFJPQuCIUFoupH.exe4 vs xgnxoS8HWxonNHl.exe
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.416424640.0000000003DA5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs xgnxoS8HWxonNHl.exe
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.414094284.00000000028D3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIntrospective.dll" vs xgnxoS8HWxonNHl.exe
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.413129137.00000000025A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDTuNaZxjHfMwnFJPQuCIUFoupH.exe4 vs xgnxoS8HWxonNHl.exe
                    Source: xgnxoS8HWxonNHl.exeBinary or memory string: OriginalFilename vs xgnxoS8HWxonNHl.exe
                    Source: xgnxoS8HWxonNHl.exe, 00000003.00000000.410042576.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDTuNaZxjHfMwnFJPQuCIUFoupH.exe4 vs xgnxoS8HWxonNHl.exe
                    Source: xgnxoS8HWxonNHl.exeBinary or memory string: OriginalFilenameWindowsRuntimeBufferHel.exeN vs xgnxoS8HWxonNHl.exe
                    Source: xgnxoS8HWxonNHl.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: xgnxoS8HWxonNHl.exeStatic PE information: Section: =hsS2- ZLIB complexity 1.00042941046
                    Source: xgnxoS8HWxonNHl.exeReversingLabs: Detection: 24%
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: unknownProcess created: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe "C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe"
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess created: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess created: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xgnxoS8HWxonNHl.exe.logJump to behavior
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@3/1@2/0
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeMutant created: \Sessions\1\BaseNamedObjects\YVJBkCIQvfTzzbbrrZNFQ
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 3.0.xgnxoS8HWxonNHl.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                    Source: xgnxoS8HWxonNHl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: xgnxoS8HWxonNHl.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00272FC0 push 20062B25h; iretd
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 3_2_0110E332 push eax; ret
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 3_2_0110D95C push eax; ret
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 3_2_0110E38A push eax; ret
                    Source: xgnxoS8HWxonNHl.exeStatic PE information: section name: =hsS2-
                    Source: xgnxoS8HWxonNHl.exeStatic PE information: section name:
                    Source: initial sampleStatic PE information: section name: =hsS2- entropy: 7.99707331021
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.91748293352
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: 00000000.00000002.413129137.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: xgnxoS8HWxonNHl.exe PID: 6420, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.413129137.00000000025A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.413129137.00000000025A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe TID: 6312Thread sleep time: -45733s >= -30000s
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe TID: 6384Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe TID: 4128Thread sleep count: 33 > 30
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe TID: 4128Thread sleep time: -30437127721620741s >= -30000s
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe TID: 6556Thread sleep count: 4675 > 30
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe TID: 6556Thread sleep count: 5149 > 30
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeWindow / User API: threadDelayed 4675
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeWindow / User API: threadDelayed 5149
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeThread delayed: delay time: 45733
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeThread delayed: delay time: 922337203685477
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.413129137.00000000025A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.413129137.00000000025A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.413129137.00000000025A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: xgnxoS8HWxonNHl.exe, 00000000.00000002.413129137.00000000025A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeCode function: 0_2_00B81628 CheckRemoteDebuggerPresent,
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeMemory allocated: page read and write | page guard
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeProcess created: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\Desktop\xgnxoS8HWxonNHl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.xgnxoS8HWxonNHl.exe.422f518.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.xgnxoS8HWxonNHl.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.xgnxoS8HWxonNHl.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.xgnxoS8HWxonNHl.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xgnxoS8HWxonNHl.exe.4265338.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xgnxoS8HWxonNHl.exe.4265338.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.xgnxoS8HWxonNHl.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.xgnxoS8HWxonNHl.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.xgnxoS8HWxonNHl.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xgnxoS8HWxonNHl.exe.422f518.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xgnxoS8HWxonNHl.exe.41ec0f8.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000000.410042576.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.417603219.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.409181519.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.407935315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.408520132.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.627732273.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: xgnxoS8HWxonNHl.exe PID: 6420, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: xgnxoS8HWxonNHl.exe PID: 6736, type: MEMORYSTR
                    Source: Yara matchFile source: 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: xgnxoS8HWxonNHl.exe PID: 6736, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.xgnxoS8HWxonNHl.exe.422f518.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.xgnxoS8HWxonNHl.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.xgnxoS8HWxonNHl.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.xgnxoS8HWxonNHl.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xgnxoS8HWxonNHl.exe.4265338.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xgnxoS8HWxonNHl.exe.4265338.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.xgnxoS8HWxonNHl.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.xgnxoS8HWxonNHl.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.xgnxoS8HWxonNHl.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xgnxoS8HWxonNHl.exe.422f518.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.xgnxoS8HWxonNHl.exe.41ec0f8.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000000.410042576.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.417603219.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.409181519.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.407935315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.408520132.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.627732273.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: xgnxoS8HWxonNHl.exe PID: 6420, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: xgnxoS8HWxonNHl.exe PID: 6736, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		Path Interception11
                    Process Injection                    		1
                    Masquerading                    		1
                    Input Capture                    		321
                    Security Software Discovery                    		Remote Services1
                    Input Capture                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop Protocol11
                    Archive Collected Data                    		Exfiltration Over Bluetooth1
                    Non-Application Layer Protocol                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)141
                    Virtualization/Sandbox Evasion                    		Security Account Manager141
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                    Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets113
                    System Information Discovery                    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common3
                    Obfuscated Files or Information                    		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items4
                    Software Packing                    		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    xgnxoS8HWxonNHl.exe24%ReversingLabsByteCode-MSIL.Trojan.Taskun
                    xgnxoS8HWxonNHl.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    3.0.xgnxoS8HWxonNHl.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    3.0.xgnxoS8HWxonNHl.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    3.0.xgnxoS8HWxonNHl.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                    3.2.xgnxoS8HWxonNHl.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    3.0.xgnxoS8HWxonNHl.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                    3.0.xgnxoS8HWxonNHl.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.fontbureau.comessed0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.sajatypeworks.comC0%Avira URL Cloudsafe
                    http://www.fontbureau.comasF0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cnttp0%Avira URL Cloudsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.fontbureau.com40%Avira URL Cloudsafe
                    http://www.sajatypeworks.comX0%Avira URL Cloudsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.fontbureau.comldTFM0%Avira URL Cloudsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    http://www.galapagosdesign.com/0%URL Reputationsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    http://www.fontbureau.comF0%URL Reputationsafe
                    http://www.fontbureau.comcomd0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    http://www.fontbureau.comd~0%Avira URL Cloudsafe
                    http://www.sajatypeworks.comz0%Avira URL Cloudsafe
                    http://www.carterandcone.comily)0%Avira URL Cloudsafe
                    http://www.fontbureau.coma0%URL Reputationsafe
                    http://www.fontbureau.comd0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.founder.com.cn/cn/0%URL Reputationsafe
                    http://www.fontbureau.comalsS?0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.zhongyicts.com.cna0%URL Reputationsafe
                    http://www.galapagosdesign.com/30%Avira URL Cloudsafe
                    http://www.sajatypeworks.comurs0%Avira URL Cloudsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.carterandcone.comi)0%Avira URL Cloudsafe
                    http://ATRZqY.com0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    us2.smtp.mailhostbox.com
                    		162.222.225.16
                    		truefalse
                      		high
                      smtp.ormretsan.com
                      		unknown
                      		unknowntrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1xgnxoS8HWxonNHl.exe, 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.fontbureau.com/designersGxgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bThexgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.com/designersBxgnxoS8HWxonNHl.exe, 00000000.00000003.376447774.0000000007AB8000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.375942088.0000000007ABB000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.com/designersYxgnxoS8HWxonNHl.exe, 00000000.00000003.377813742.0000000007AB3000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.tiro.comxgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.372072274.0000000007A84000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.372094133.0000000007A8D000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designersxgnxoS8HWxonNHl.exe, 00000000.00000003.376637617.0000000007AB8000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.384487951.0000000007ABB000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.376696263.0000000007AB8000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.375942088.0000000007ABB000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.comessedxgnxoS8HWxonNHl.exe, 00000000.00000003.378171280.0000000007A85000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.goodfont.co.krxgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sajatypeworks.comCxgnxoS8HWxonNHl.exe, 00000000.00000003.368566801.0000000007A83000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.comasFxgnxoS8HWxonNHl.exe, 00000000.00000003.376341670.0000000007A85000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designersPxgnxoS8HWxonNHl.exe, 00000000.00000003.376447774.0000000007AB8000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cnttpxgnxoS8HWxonNHl.exe, 00000000.00000003.371366282.0000000007A82000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.sajatypeworks.comxgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.368156883.0000000007A82000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.368566801.0000000007A83000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.typography.netDxgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cn/cThexgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmxgnxoS8HWxonNHl.exe, 00000000.00000003.379946625.0000000007AB3000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.379889262.0000000007AB3000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://fontfabrik.comxgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com4xgnxoS8HWxonNHl.exe, 00000000.00000003.378171280.0000000007A85000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.377363480.0000000007A85000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.sajatypeworks.comXxgnxoS8HWxonNHl.exe, 00000000.00000003.368566801.0000000007A83000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.com/designerscxgnxoS8HWxonNHl.exe, 00000000.00000003.384487951.0000000007ABB000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.galapagosdesign.com/DPleasexgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://api.ipify.org%GETMozilla/5.0xgnxoS8HWxonNHl.exe, 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		low
                                        http://www.fontbureau.com/designersvxgnxoS8HWxonNHl.exe, 00000000.00000003.376069831.0000000007ABB000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fonts.comxgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krxgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.urwpp.deDPleasexgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.zhongyicts.com.cnxgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.sakkal.comxgnxoS8HWxonNHl.exe, 00000000.00000003.373879871.0000000007ABB000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.comldTFMxgnxoS8HWxonNHl.exe, 00000000.00000003.411742228.0000000007A80000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000002.419351318.0000000007A80000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipxgnxoS8HWxonNHl.exe, 00000000.00000002.417603219.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000003.00000000.410042576.0000000000402000.00000040.00000400.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000003.00000000.407935315.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designerssxgnxoS8HWxonNHl.exe, 00000000.00000003.377813742.0000000007AB3000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.apache.org/licenses/LICENSE-2.0xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.fontbureau.comxgnxoS8HWxonNHl.exe, 00000000.00000003.378171280.0000000007A85000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.galapagosdesign.com/xgnxoS8HWxonNHl.exe, 00000000.00000003.379889262.0000000007AB3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://DynDns.comDynDNSxgnxoS8HWxonNHl.exe, 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.comFxgnxoS8HWxonNHl.exe, 00000000.00000003.378171280.0000000007A85000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.comcomdxgnxoS8HWxonNHl.exe, 00000000.00000003.377363480.0000000007A85000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haxgnxoS8HWxonNHl.exe, 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.fontbureau.com/ixgnxoS8HWxonNHl.exe, 00000000.00000003.376341670.0000000007A85000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.comd~xgnxoS8HWxonNHl.exe, 00000000.00000003.377363480.0000000007A85000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		low
                                                    http://www.sajatypeworks.comzxgnxoS8HWxonNHl.exe, 00000000.00000003.368156883.0000000007A82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.carterandcone.comily)xgnxoS8HWxonNHl.exe, 00000000.00000003.372641423.0000000007A8E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		low
                                                    http://www.fontbureau.comaxgnxoS8HWxonNHl.exe, 00000000.00000003.411742228.0000000007A80000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000002.419351318.0000000007A80000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.comdxgnxoS8HWxonNHl.exe, 00000000.00000003.378171280.0000000007A85000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.carterandcone.comlxgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.372641423.0000000007A8E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.founder.com.cn/cn/xgnxoS8HWxonNHl.exe, 00000000.00000003.371988138.0000000007A82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers/cabarga.htmlNxgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.comalsS?xgnxoS8HWxonNHl.exe, 00000000.00000003.378171280.0000000007A85000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.founder.com.cn/cnxgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.371387468.0000000007ABE000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.371615251.0000000007ABD000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.371351820.0000000007ABD000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.371440220.0000000007ABD000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.371503172.0000000007ABD000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.371366282.0000000007A82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers/frere-jones.htmlxgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.zhongyicts.com.cnaxgnxoS8HWxonNHl.exe, 00000000.00000003.372478173.0000000007A8E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.galapagosdesign.com/3xgnxoS8HWxonNHl.exe, 00000000.00000003.379889262.0000000007AB3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers/cabarga.htmlxgnxoS8HWxonNHl.exe, 00000000.00000003.377363480.0000000007A85000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.com/designers%xgnxoS8HWxonNHl.exe, 00000000.00000003.376510155.0000000007AB8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.sajatypeworks.comursxgnxoS8HWxonNHl.exe, 00000000.00000003.368156883.0000000007A82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.jiyu-kobo.co.jp/xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers8xgnxoS8HWxonNHl.exe, 00000000.00000002.419789394.0000000008C92000.00000004.00000800.00020000.00000000.sdmp, xgnxoS8HWxonNHl.exe, 00000000.00000003.377016385.0000000007AB3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.carterandcone.comi)xgnxoS8HWxonNHl.exe, 00000000.00000003.373157693.0000000007A82000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		low
                                                              http://ATRZqY.comxgnxoS8HWxonNHl.exe, 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown

                                                              World Map of Contacted IPs

                                                              No contacted IP infos

                                                              General Information

                                                              Joe Sandbox Version:34.0.0 Boulder Opal
                                                              Analysis ID:612101
                                                              Start date and time: 20/04/202215:13:322022-04-20 15:13:32 +02:00
                                                              Joe Sandbox Product:CloudBasic
                                                              Overall analysis duration:0h 9m 48s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:light
                                                              Sample file name:xgnxoS8HWxonNHl.exe
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                              Number of analysed new started processes analysed:18
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • HDC enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Detection:MAL
                                                              Classification:mal100.troj.evad.winEXE@3/1@2/0
                                                              EGA Information:
                                                              • Successful, ratio: 100%
                                                              HDC Information:
                                                              • Successful, ratio: 1.1% (good quality ratio 0.7%)
                                                              • Quality average: 42.4%
                                                              • Quality standard deviation: 36.8%
                                                              HCA Information:
                                                              • Successful, ratio: 98%
                                                              • Number of executed functions: 0
                                                              • Number of non-executed functions: 0
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe
                                                              • Adjust boot time
                                                              • Enable AMSI

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                              • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, login.live.com, sls.update.microsoft.com, settings-win.data.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • VT rate limit hit for: xgnxoS8HWxonNHl.exe

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              15:15:00API Interceptor516x Sleep call for process: xgnxoS8HWxonNHl.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              No context

                                                              Domains

                                                              No context

                                                              ASNs

                                                              No context

                                                              JA3 Fingerprints

                                                              No context

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xgnxoS8HWxonNHl.exe.log

                                                              Download File
                                                              Process:C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1308
                                                              Entropy (8bit):5.345811588615766
                                                              Encrypted:false
                                                              SSDEEP:24:ML9E4Ks29E4Kx1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MxHKX9HKx1qHiYHKhQnoPtHoxHhAHKzu
                                                              MD5:36C0A7F32E757FCBECED4EB6FC3C922C
                                                              SHA1:939BED45186769E4D878B9A44420CE140445F2CB
                                                              SHA-256:C85B76D06B14DE0D203F30A03BA1D26F17BA9970FE8491AB00A1ED1C0DEC9989
                                                              SHA-512:F0C308E83AE3FB61E9A7AA68E2CA54D9D48027DF1E8D8092C1FA61600555005675063F377C50572C34A39E8CC77FC044EAF2BC31D5C08DC46446C38F4433DF18
                                                              Malicious:true
                                                              Reputation:moderate, very likely benign file
                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Entropy (8bit):7.923008451625047
                                                              TrID:
                                                              • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                              • Win32 Executable (generic) a (10002005/4) 49.96%
                                                              • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                              • DOS Executable Generic (2002/1) 0.01%
                                                              File name:xgnxoS8HWxonNHl.exe
                                                              File size:707584
                                                              MD5:56e4a7420f9a9fa987aba56b6f91fbcb
                                                              SHA1:31595356f127256829e137be2c28ab6f4788e76e
                                                              SHA256:12811d59e069011b7a1249365e515c8b63f21dd480cd955e2ec027aa2e3b80d8
                                                              SHA512:db8da513d2de747f9e75294952e9c4087b0f5d3c0aa3dfc2735022f784a4205d2eacd78e15c192fda19c344d352bc7d3181fb5bc71dabcab898bcf77324d0824
                                                              SSDEEP:12288:d1PHUMvd+OT+Aooafb45NmrNm2+oMFYlY2BUV3vIr9yhDS/PUn3It9DIi96KASyx:dBU2oAqk/hYR0/IIhDSk3o9R6KASe
                                                              TLSH:42E4F19C326032EFC86BC076CEA86CB8EAA574BB971B57039417059DDE4D987CF150B2
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._b..............0......,....... ...@... ....@.. .......................@............@................................

                                                              File Icon

                                                              Icon Hash:0000000000000000

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x4b200a
                                                              Entrypoint Section:
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                              Time Stamp:0x625FC909 [Wed Apr 20 08:49:13 2022 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:v4.0.30319
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                              Entrypoint Preview

                                                              Instruction
                                                              jmp dword ptr [004B2000h]
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x148700x4b.text
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xae0000xf78.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xb00000xc.reloc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0xb20000x8
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x140000x48.text
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              =hsS2-0x20000x118e40x11a00False1.00042941046data7.99707331021IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                              .text0x140000x999180x99a00False0.920395456164data7.91748293352IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                              .rsrc0xae0000xf780x1000False0.5673828125data6.3429053765IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .reloc0xb00000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                              0xb20000x100x200False0.044921875data0.142635768149IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountry
                                                              RT_ICON0xae1300x8a5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                              RT_GROUP_ICON0xae9d80x14data
                                                              RT_VERSION0xae9ec0x39cdata
                                                              RT_MANIFEST0xaed880x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                              Imports

                                                              DLLImport
                                                              mscoree.dll_CorExeMain

                                                              Version Infos

                                                              DescriptionData
                                                              Translation0x0000 0x04b0
                                                              LegalCopyrightTelemarketer
                                                              Assembly Version0.0.6.0
                                                              InternalNameWindowsRuntimeBufferHel.exe
                                                              FileVersion1.0.3.0
                                                              CompanyNameTelemarketer
                                                              LegalTrademarks
                                                              Comments
                                                              ProductNameVisual N-Queens Solver
                                                              ProductVersion1.0.3.0
                                                              FileDescriptionVisual N-Queens Solver
                                                              OriginalFilenameWindowsRuntimeBufferHel.exe

                                                              Network Behavior

                                                              Network Port Distribution

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Apr 20, 2022 15:16:58.594237089 CEST5675853192.168.2.78.8.8.8
                                                              Apr 20, 2022 15:16:58.798269033 CEST53567588.8.8.8192.168.2.7
                                                              Apr 20, 2022 15:16:58.803100109 CEST6238153192.168.2.78.8.8.8
                                                              Apr 20, 2022 15:16:58.821592093 CEST53623818.8.8.8192.168.2.7

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                              Apr 20, 2022 15:16:58.594237089 CEST192.168.2.78.8.8.80xe33Standard query (0)smtp.ormretsan.comA (IP address)IN (0x0001)
                                                              Apr 20, 2022 15:16:58.803100109 CEST192.168.2.78.8.8.80xaf7fStandard query (0)smtp.ormretsan.comA (IP address)IN (0x0001)

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                              Apr 20, 2022 15:16:58.798269033 CEST8.8.8.8192.168.2.70xe33No error (0)smtp.ormretsan.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                              Apr 20, 2022 15:16:58.798269033 CEST8.8.8.8192.168.2.70xe33No error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                                              Apr 20, 2022 15:16:58.798269033 CEST8.8.8.8192.168.2.70xe33No error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                                              Apr 20, 2022 15:16:58.798269033 CEST8.8.8.8192.168.2.70xe33No error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)
                                                              Apr 20, 2022 15:16:58.798269033 CEST8.8.8.8192.168.2.70xe33No error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)
                                                              Apr 20, 2022 15:16:58.821592093 CEST8.8.8.8192.168.2.70xaf7fNo error (0)smtp.ormretsan.comus2.smtp.mailhostbox.comCNAME (Canonical name)IN (0x0001)
                                                              Apr 20, 2022 15:16:58.821592093 CEST8.8.8.8192.168.2.70xaf7fNo error (0)us2.smtp.mailhostbox.com162.222.225.16A (IP address)IN (0x0001)
                                                              Apr 20, 2022 15:16:58.821592093 CEST8.8.8.8192.168.2.70xaf7fNo error (0)us2.smtp.mailhostbox.com208.91.198.38A (IP address)IN (0x0001)
                                                              Apr 20, 2022 15:16:58.821592093 CEST8.8.8.8192.168.2.70xaf7fNo error (0)us2.smtp.mailhostbox.com208.91.198.46A (IP address)IN (0x0001)
                                                              Apr 20, 2022 15:16:58.821592093 CEST8.8.8.8192.168.2.70xaf7fNo error (0)us2.smtp.mailhostbox.com162.222.225.29A (IP address)IN (0x0001)

                                                              Statistics

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:15:14:48
                                                              Start date:20/04/2022
                                                              Path:C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe"
                                                              Imagebase:0x270000
                                                              File size:707584 bytes
                                                              MD5 hash:56E4A7420F9A9FA987ABA56B6F91FBCB
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Yara matches:
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.417603219.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.417603219.00000000041EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.413129137.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              Reputation:low

                                                              General

                                                              Target ID:3
                                                              Start time:15:15:08
                                                              Start date:20/04/2022
                                                              Path:C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Users\user\Desktop\xgnxoS8HWxonNHl.exe
                                                              Imagebase:0xa70000
                                                              File size:707584 bytes
                                                              MD5 hash:56E4A7420F9A9FA987ABA56B6F91FBCB
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:.Net C# or VB.NET
                                                              Yara matches:
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.410042576.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.410042576.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.409181519.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.409181519.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.407935315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.407935315.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.408520132.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.408520132.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.627732273.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000002.627732273.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000003.00000002.629133048.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                              Reputation:low

                                                              Disassembly

                                                              No disassembly