Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.GenericKD.39649730.16343.2439

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.GenericKD.39649730.16343.2439 (renamed file extension from 2439 to exe)
Analysis ID:626423
MD5:351a6ff6c8aef2f1f3fcc9cd8c0dfd8e
SHA1:86b49c51155b6e3997a45e0ad1adef77722d4f6e
SHA256:6099e48acdfc2f116c21d55e3aff1a1b7bc0d4c5841ee5506f762cd66935ca2e
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains functionality to register a low level keyboard hook
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "v.saniuk@ibc.by", "Password": "QWErty654321", "Host": "webmail.active.by"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000000.272202502.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000000.272202502.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000004.00000000.272808462.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000004.00000000.272808462.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000004.00000002.510960801.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 16 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.6.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.6.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x32d6f:$s10: logins
                • 0x327d6:$s11: credential
                • 0x2ed99:$g1: get_Clipboard
                • 0x2eda7:$g2: get_Keyboard
                • 0x2edb4:$g3: get_Password
                • 0x300af:$g4: get_CtrlKeyDown
                • 0x300bf:$g5: get_ShiftKeyDown
                • 0x300d0:$g6: get_AltKeyDown
                4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.8.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 32 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.6.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "v.saniuk@ibc.by", "Password": "QWErty654321", "Host": "webmail.active.by"}
                    Multi AV Scanner detection for submitted file
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeVirustotal: Detection: 33%Perma Link
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeReversingLabs: Detection: 43%
                    Machine Learning detection for sample
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeJoe Sandbox ML: detected
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Binary string: AssemblyAlgorithmIdAttrib.pdb source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                    Source: Joe Sandbox ViewIP Address: 185.47.152.61 185.47.152.61
                    Source: global trafficTCP traffic: 192.168.2.3:49745 -> 185.47.152.61:587
                    Source: global trafficTCP traffic: 192.168.2.3:49745 -> 185.47.152.61:587
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://WuEWlY.com
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513128375.00000000013A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/RapidSSLTLSDVRSAMixedSHA2562
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514453925.0000000003227000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513128375.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514578396.000000000326D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.517074812.0000000006A80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/RapidSSLTLSDVRSAMixedSHA2562020CA-1.crt0
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513128375.00000000013A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRoot
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514453925.0000000003227000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513128375.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514578396.000000000326D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.517074812.0000000006A80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514453925.0000000003227000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513128375.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514578396.000000000326D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.517074812.0000000006A80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/RapidSSLTLSDVRSAMixedSHA2562020CA-1.crl0F
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514453925.0000000003227000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513128375.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514578396.000000000326D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.517074812.0000000006A80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514453925.0000000003227000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513128375.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514578396.000000000326D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.517074812.0000000006A80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/RapidSSLTLSDVRSAMixedSHA2562020CA-1.crl0
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514453925.0000000003227000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513128375.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514578396.000000000326D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.517074812.0000000006A80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514453925.0000000003227000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513128375.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514578396.000000000326D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.517074812.0000000006A80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514453925.0000000003227000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514578396.000000000326D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://webmail.active.by
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.252248930.0000000005351000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514453925.0000000003227000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513128375.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514578396.000000000326D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.517074812.0000000006A80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.288764673.0000000005340000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com=
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.288764673.0000000005340000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comoitu3
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259518998.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259130181.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259303763.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.260320170.000000000537D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259791661.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259701206.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259471979.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259344901.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259609928.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259911250.000000000537D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259056672.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259200492.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259281371.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.260182995.000000000537D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259547743.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259577319.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259756828.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259947152.000000000537D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.260104307.000000000537D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.258994813.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.260143045.000000000537D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.251445922.0000000005346000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr&
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.251445922.0000000005346000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.krFT
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.251445922.0000000005346000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kry
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.253829018.0000000005342000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.253829018.0000000005342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.253829018.0000000005342000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.251445922.0000000005346000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.251445922.0000000005346000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.krN.TTFp
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.251445922.0000000005346000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.krl
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://SF7VJVWyAkXSzaT8.com
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://SF7VJVWyAkXSzaT8.com8
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514453925.0000000003227000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513128375.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514578396.000000000326D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.517074812.0000000006A80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514453925.0000000003227000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513128375.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514578396.000000000326D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.517074812.0000000006A80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/rpa-ua0
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                    Source: unknownDNS traffic detected: queries for: webmail.active.by

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Installs a global keyboard hook
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_06140A00 SetWindowsHookExW 0000000D,00000000,?,?
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.282397564.00000000007CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeWindow created: window name: CLIPBRDWNDCLASS

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.362ae48.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.381cbe0.9.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.381cbe0.9.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.35eec28.7.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.3792bc0.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.3792bc0.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.362ae48.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b013FCCA8u002d334Bu002d42A6u002d860Cu002d0A2952AECF4Du007d/u00349CD056Cu002d0F9Eu002d4C46u002dB528u002d409690A756E9.csLarge array initialization: .cctor: array initializer size 11653
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b013FCCA8u002d334Bu002d42A6u002d860Cu002d0A2952AECF4Du007d/u00349CD056Cu002d0F9Eu002d4C46u002dB528u002d409690A756E9.csLarge array initialization: .cctor: array initializer size 11653
                    Source: 4.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b013FCCA8u002d334Bu002d42A6u002d860Cu002d0A2952AECF4Du007d/u00349CD056Cu002d0F9Eu002d4C46u002dB528u002d409690A756E9.csLarge array initialization: .cctor: array initializer size 11653
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007b013FCCA8u002d334Bu002d42A6u002d860Cu002d0A2952AECF4Du007d/u00349CD056Cu002d0F9Eu002d4C46u002dB528u002d409690A756E9.csLarge array initialization: .cctor: array initializer size 11653
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.362ae48.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.381cbe0.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.381cbe0.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.35eec28.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.3792bc0.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.3792bc0.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.362ae48.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_00AE4358
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_00AE40A9
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_00AE40B8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_00AE4348
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_06E058C0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_06E05498
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_06E0549D
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_06E00040
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_06E00007
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_06E06A08
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_06E06A10
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_06E06A14
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_06E06A18
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_06E058B0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_06E058B5
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_082AA1D0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_082A0027
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_082A0040
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_082A0047
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_082A241C
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_0153F6F8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_0153FA40
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_015368E0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_06144850
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_0614A400
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_068384F8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_0683C388
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_0683A820
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_0683B070
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_06831D28
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_06833330
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.282397564.00000000007CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.281942975.0000000000138000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAssemblyAlgorithmIdAttrib.exe6 vs SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.286867007.0000000003710000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.286867007.0000000003710000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIkjHJGXBvmBwCsuTExjaqdeEkQFeYXMasbly.exe4 vs SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289942459.0000000006E10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.284509153.00000000024F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIkjHJGXBvmBwCsuTExjaqdeEkQFeYXMasbly.exe4 vs SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.286449493.00000000035EE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIkjHJGXBvmBwCsuTExjaqdeEkQFeYXMasbly.exe4 vs SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000000.270549680.0000000000D58000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAssemblyAlgorithmIdAttrib.exe6 vs SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.512519059.00000000010F8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000000.272808462.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIkjHJGXBvmBwCsuTExjaqdeEkQFeYXMasbly.exe4 vs SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeBinary or memory string: OriginalFilenameAssemblyAlgorithmIdAttrib.exe6 vs SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeVirustotal: Detection: 33%
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeReversingLabs: Detection: 43%
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe"
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.logJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@2/1
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, Ke/F9.csCryptographic APIs: 'CreateDecryptor'
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, Ke/F9.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.90000.0.unpack, Ke/F9.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.90000.0.unpack, Ke/F9.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.90000.0.unpack, Ke/F9.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.90000.0.unpack, Ke/F9.csCryptographic APIs: 'CreateDecryptor'
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.cb0000.7.unpack, Ke/F9.csCryptographic APIs: 'CreateDecryptor'
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.cb0000.7.unpack, Ke/F9.csCryptographic APIs: 'CreateDecryptor'
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.cb0000.3.unpack, Ke/F9.csCryptographic APIs: 'CreateDecryptor'
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.cb0000.3.unpack, Ke/F9.csCryptographic APIs: 'CreateDecryptor'
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.cb0000.0.unpack, Ke/F9.csCryptographic APIs: 'CreateDecryptor'
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.cb0000.0.unpack, Ke/F9.csCryptographic APIs: 'CreateDecryptor'
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: AssemblyAlgorithmIdAttrib.pdb source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, Ke/F9.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.90000.0.unpack, Ke/F9.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.cb0000.7.unpack, Ke/F9.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.cb0000.3.unpack, Ke/F9.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.cb0000.0.unpack, Ke/F9.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.cb0000.9.unpack, Ke/F9.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: 4.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.cb0000.1.unpack, Ke/F9.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_00AEA234 push esp; retf
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_00AE8D7E push esp; retf
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_00AE914C push esp; retf
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_00AE973B push esp; retf
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_00AE9BF5 push esp; retf
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_082A35CC pushfd ; retf
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 0_2_082A3610 push esp; retf
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_0614E340 push es; ret
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_0683178F push es; ret
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_0683179B push es; ret
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_068317EB push es; ret
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_06831753 push es; ret
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_06833330 push es; iretd
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_068340B1 push es; iretd
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_068318E5 push es; ret
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_06831817 push es; ret
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_0683181B push es; ret
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_06831867 push es; ret
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_068341D9 push es; iretd
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_06834149 push es; iretd
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.76001062943
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: 00000000.00000002.284509153.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe PID: 3692, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.284509153.00000000024F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.284509153.00000000024F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe TID: 5956Thread sleep time: -45733s >= -30000s
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe TID: 2196Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe TID: 2200Thread sleep time: -14757395258967632s >= -30000s
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe TID: 5000Thread sleep count: 3204 > 30
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe TID: 5000Thread sleep count: 5632 > 30
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeWindow / User API: threadDelayed 3204
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeWindow / User API: threadDelayed 5632
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeThread delayed: delay time: 45733
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeThread delayed: delay time: 922337203685477
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513128375.00000000013A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllervices\Tcpip\Parameters|NumForwardPacketsPMTUBHDetectEnabled
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.284509153.00000000024F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.284509153.00000000024F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.284509153.00000000024F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.284509153.00000000024F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeCode function: 4_2_06837E48 LdrInitializeThunk,
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    .NET source code references suspicious native API functions
                    Source: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, Ke/F9.csReference to suspicious API methods: ('ldi', 'GetProcAddress@kernel32'), ('Kdd', 'LoadLibrary@kernel32')
                    Source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.90000.0.unpack, Ke/F9.csReference to suspicious API methods: ('ldi', 'GetProcAddress@kernel32'), ('Kdd', 'LoadLibrary@kernel32')
                    Source: 0.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.90000.0.unpack, Ke/F9.csReference to suspicious API methods: ('ldi', 'GetProcAddress@kernel32'), ('Kdd', 'LoadLibrary@kernel32')
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.cb0000.7.unpack, Ke/F9.csReference to suspicious API methods: ('ldi', 'GetProcAddress@kernel32'), ('Kdd', 'LoadLibrary@kernel32')
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.cb0000.3.unpack, Ke/F9.csReference to suspicious API methods: ('ldi', 'GetProcAddress@kernel32'), ('Kdd', 'LoadLibrary@kernel32')
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.cb0000.0.unpack, Ke/F9.csReference to suspicious API methods: ('ldi', 'GetProcAddress@kernel32'), ('Kdd', 'LoadLibrary@kernel32')
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.cb0000.9.unpack, Ke/F9.csReference to suspicious API methods: ('ldi', 'GetProcAddress@kernel32'), ('Kdd', 'LoadLibrary@kernel32')
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.6.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.4.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Source: 4.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.0.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Source: 4.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.cb0000.1.unpack, Ke/F9.csReference to suspicious API methods: ('ldi', 'GetProcAddress@kernel32'), ('Kdd', 'LoadLibrary@kernel32')
                    Source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.8.unpack, A/E1.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.362ae48.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.381cbe0.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.381cbe0.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.35eec28.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.3792bc0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.362ae48.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000000.272202502.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.272808462.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.510960801.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.286867007.0000000003710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.273600180.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.274625372.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.286449493.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe PID: 3692, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe PID: 2560, type: MEMORYSTR
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: Yara matchFile source: 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe PID: 2560, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.362ae48.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.381cbe0.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.381cbe0.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.35eec28.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.3792bc0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.362ae48.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000000.272202502.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.272808462.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.510960801.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.286867007.0000000003710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.273600180.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.274625372.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.286449493.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe PID: 3692, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe PID: 2560, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		Path Interception111
                    Process Injection                    		1
                    Masquerading                    		2
                    OS Credential Dumping                    		211
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default Accounts1
                    Native API                    		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Disable or Modify Tools                    		211
                    Input Capture                    		1
                    Process Discovery                    		Remote Desktop Protocol211
                    Input Capture                    		Exfiltration Over Bluetooth1
                    Non-Standard Port                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                    Virtualization/Sandbox Evasion                    		1
                    Credentials in Registry                    		131
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares11
                    Archive Collected Data                    		Automated Exfiltration1
                    Non-Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)111
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object Model2
                    Data from Local System                    		Scheduled Transfer11
                    Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    Remote System Discovery                    		SSH1
                    Clipboard Data                    		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common2
                    Obfuscated Files or Information                    		Cached Domain Credentials114
                    System Information Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items13
                    Software Packing                    		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe33%VirustotalBrowse
                    SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe44%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    4.2.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://www.goodfont.co.kry0%Avira URL Cloudsafe
                    http://www.sandoll.co.krN.TTFp0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://WuEWlY.com0%Avira URL Cloudsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                    http://www.sandoll.co.krl0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.fontbureau.comoitu30%Avira URL Cloudsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp//0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.goodfont.co.krFT0%Avira URL Cloudsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    https://SF7VJVWyAkXSzaT8.com0%Avira URL Cloudsafe
                    http://www.goodfont.co.kr&0%Avira URL Cloudsafe
                    http://www.fontbureau.com=0%Avira URL Cloudsafe
                    https://SF7VJVWyAkXSzaT8.com80%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    webmail.active.by
                    		185.47.152.61
                    		truefalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.apache.org/licenses/LICENSE-2.0SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.252248930.0000000005351000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.comSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersGSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.goodfont.co.krySecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.251445922.0000000005346000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.sandoll.co.krN.TTFpSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.251445922.0000000005346000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designers/?SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bTheSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers?SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://WuEWlY.comSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sandoll.co.krlSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.251445922.0000000005346000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.tiro.comSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.goodfont.co.krSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/jp/SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.253829018.0000000005342000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comlSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://webmail.active.bySecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514453925.0000000003227000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.514578396.000000000326D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.typography.netDSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/cabarga.htmlNSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/cTheSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.comoitu3SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.288764673.0000000005340000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259518998.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259130181.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259303763.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.260320170.000000000537D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259791661.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259701206.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259471979.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259344901.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259609928.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259911250.000000000537D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259056672.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259200492.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259281371.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.260182995.000000000537D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259547743.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259577319.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259756828.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.259947152.000000000537D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.260104307.000000000537D000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.258994813.000000000537E000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.260143045.000000000537D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://fontfabrik.comSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cnSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/frere-jones.htmlSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.jiyu-kobo.co.jp//SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.253829018.0000000005342000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.jiyu-kobo.co.jp/SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.253829018.0000000005342000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://DynDns.comDynDNSnamejidpasswordPsi/PsiSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galapagosdesign.com/DPleaseSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designers8SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.goodfont.co.krFTSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.251445922.0000000005346000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fonts.comSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.sandoll.co.krSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.251445922.0000000005346000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.urwpp.deDPleaseSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.zhongyicts.com.cnSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.sakkal.comSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.289013797.0000000006552000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://SF7VJVWyAkXSzaT8.comSecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.goodfont.co.kr&SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000003.251445922.0000000005346000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            http://www.fontbureau.com=SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000000.00000002.288764673.0000000005340000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            https://SF7VJVWyAkXSzaT8.com8SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe, 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            185.47.152.61
                                            		webmail.active.byBelarus
                                            		202090ACTIVECLOUD-BY-ASBYfalse

                                            General Information

                                            Joe Sandbox Version:34.0.0 Boulder Opal
                                            Analysis ID:626423
                                            Start date and time: 14/05/202200:37:322022-05-14 00:37:32 +02:00
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 8m 58s
                                            Hypervisor based Inspection enabled:false
                                            Report type:light
                                            Sample file name:SecuriteInfo.com.Trojan.GenericKD.39649730.16343.2439 (renamed file extension from 2439 to exe)
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                            Number of analysed new started processes analysed:29
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.spyw.evad.winEXE@3/2@2/1
                                            EGA Information:
                                            • Successful, ratio: 100%
                                            HDC Information:
                                            • Successful, ratio: 1.3% (good quality ratio 1.1%)
                                            • Quality average: 65.1%
                                            • Quality standard deviation: 39.4%
                                            HCA Information:
                                            • Successful, ratio: 96%
                                            • Number of executed functions: 0
                                            • Number of non-executed functions: 0
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI

                                            Warnings

                                            • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                                            • TCP Packets have been reduced to 100
                                            • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, go.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            00:38:43API Interceptor735x Sleep call for process: SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            No context

                                            Domains

                                            No context

                                            ASNs

                                            No context

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe.log

                                            Download File
                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1308
                                            Entropy (8bit):5.345811588615766
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
                                            MD5:2E016B886BDB8389D2DD0867BE55F87B
                                            SHA1:25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
                                            SHA-256:1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
                                            SHA-512:C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
                                            Malicious:true
                                            Reputation:high, very likely benign file
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                            C:\Users\user\AppData\Roaming\dexqxm4g.x3e\Chrome\Default\Cookies

                                            Download File
                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                            Category:dropped
                                            Size (bytes):20480
                                            Entropy (8bit):0.6970840431455908
                                            Encrypted:false
                                            SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
                                            MD5:00681D89EDDB6AD25E6F4BD2E66C61C6
                                            SHA1:14B2FBFB460816155190377BBC66AB5D2A15F7AB
                                            SHA-256:8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
                                            SHA-512:159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview:SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.751594485393351
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            • DOS Executable Generic (2002/1) 0.01%
                                            File name:SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                                            File size:675840
                                            MD5:351a6ff6c8aef2f1f3fcc9cd8c0dfd8e
                                            SHA1:86b49c51155b6e3997a45e0ad1adef77722d4f6e
                                            SHA256:6099e48acdfc2f116c21d55e3aff1a1b7bc0d4c5841ee5506f762cd66935ca2e
                                            SHA512:c4f7c6857b511e50ada9fcc4ccd149a39dce2903f8e58ab38126794847f264ba9069c4de64a46a9f5065ba3781b1a61380a653799d3cd31aca57220c4b2853e6
                                            SSDEEP:12288:s/RR9cMw+idI0lWyrzmdcRURevzuVKane+jQ+oEvf7p97QbW:4qAOzlZemuVBne3Zap
                                            TLSH:8BE4F17DF2E78E63CB2522B6C0EB590403A05A5BD673E3AA2B4151E54D03BD39D42BC7
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....~b..............0..H...........f... ........@.. ....................................@................................

                                            File Icon

                                            Icon Hash:00828e8e8686b000

                                            Static PE Info

                                            General

                                            Entrypoint:0x4a660e
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                            Time Stamp:0x627E0DE1 [Fri May 13 07:50:57 2022 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:v4.0.30319
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xa65c00x4b.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xa80000x3bc.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xaa0000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0xa655f0x1c.text
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000xa46140xa4800False0.872511101349SysEx File -7.76001062943IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                            .rsrc0xa80000x3bc0x400False0.380859375data3.02433380393IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0xaa0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountry
                                            RT_VERSION0xa80580x364data

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Version Infos

                                            DescriptionData
                                            Translation0x0000 0x04b0
                                            LegalCopyrightCopyright 2017
                                            Assembly Version1.0.0.0
                                            InternalNameAssemblyAlgorithmIdAttrib.exe
                                            FileVersion1.0.0.0
                                            CompanyName
                                            LegalTrademarks
                                            Comments
                                            ProductNameResetEvent
                                            ProductVersion1.0.0.0
                                            FileDescriptionResetEvent
                                            OriginalFilenameAssemblyAlgorithmIdAttrib.exe

                                            Network Behavior

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            May 14, 2022 00:38:59.679438114 CEST49745587192.168.2.3185.47.152.61
                                            May 14, 2022 00:38:59.746223927 CEST58749745185.47.152.61192.168.2.3
                                            May 14, 2022 00:38:59.746365070 CEST49745587192.168.2.3185.47.152.61
                                            May 14, 2022 00:38:59.813838005 CEST58749745185.47.152.61192.168.2.3
                                            May 14, 2022 00:38:59.814126968 CEST49745587192.168.2.3185.47.152.61
                                            May 14, 2022 00:38:59.881165981 CEST58749745185.47.152.61192.168.2.3
                                            May 14, 2022 00:38:59.881213903 CEST58749745185.47.152.61192.168.2.3
                                            May 14, 2022 00:38:59.881433010 CEST49745587192.168.2.3185.47.152.61
                                            May 14, 2022 00:38:59.956746101 CEST58749745185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:00.032051086 CEST49745587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:00.096976995 CEST58749745185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:00.097007990 CEST58749745185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:00.097033978 CEST58749745185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:00.097047091 CEST58749745185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:00.097119093 CEST49745587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:00.097150087 CEST49745587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:00.103696108 CEST49745587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:00.171617985 CEST58749745185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:00.242981911 CEST49745587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:00.307900906 CEST58749745185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:00.308996916 CEST49745587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:00.373702049 CEST58749745185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:00.381966114 CEST49745587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:00.487729073 CEST58749745185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:00.568512917 CEST58749745185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:00.570369959 CEST49745587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:00.635299921 CEST58749745185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:00.635354996 CEST58749745185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:00.636518955 CEST49745587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:00.701631069 CEST58749745185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:00.705959082 CEST49745587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:00.779897928 CEST58749745185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:00.782213926 CEST49745587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:00.782655954 CEST49745587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:00.783776999 CEST49745587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:00.784034014 CEST49745587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:00.847397089 CEST58749745185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:00.848531961 CEST58749745185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:00.848915100 CEST58749745185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:01.067194939 CEST49745587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:01.125231028 CEST58749745185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:01.125559092 CEST49745587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:01.997858047 CEST49745587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:02.062716007 CEST58749745185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:02.062747002 CEST58749745185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:02.062959909 CEST49745587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:02.063410044 CEST58749745185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:02.063486099 CEST49745587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:02.074456930 CEST49745587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:02.128956079 CEST49746587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:02.194772959 CEST58749746185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:02.194957018 CEST49746587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:02.261580944 CEST58749746185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:02.261873960 CEST49746587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:02.328174114 CEST58749746185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:02.328217030 CEST58749746185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:02.328465939 CEST49746587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:02.404619932 CEST58749746185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:02.405039072 CEST49746587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:02.470732927 CEST58749746185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:02.470784903 CEST58749746185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:02.470824003 CEST58749746185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:02.470853090 CEST58749746185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:02.470880985 CEST49746587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:02.470935106 CEST49746587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:02.472127914 CEST49746587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:02.540873051 CEST58749746185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:02.542937994 CEST49746587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:02.608890057 CEST58749746185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:02.609313011 CEST49746587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:02.675415039 CEST58749746185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:02.675900936 CEST49746587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:02.785697937 CEST58749746185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:02.895184040 CEST58749746185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:02.895605087 CEST49746587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:02.961004019 CEST58749746185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:02.961025953 CEST58749746185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:02.961328030 CEST49746587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:03.026959896 CEST58749746185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:03.027287960 CEST49746587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:03.101412058 CEST58749746185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:03.103316069 CEST49746587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:03.103444099 CEST49746587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:03.103621960 CEST49746587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:03.103800058 CEST49746587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:03.103874922 CEST49746587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:03.103952885 CEST49746587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:03.104023933 CEST49746587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:03.104096889 CEST49746587192.168.2.3185.47.152.61
                                            May 14, 2022 00:39:03.168987989 CEST58749746185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:03.169133902 CEST58749746185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:03.169300079 CEST58749746185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:03.169759989 CEST58749746185.47.152.61192.168.2.3
                                            May 14, 2022 00:39:03.259846926 CEST49746587192.168.2.3185.47.152.61
                                            May 14, 2022 00:40:39.611948013 CEST49746587192.168.2.3185.47.152.61
                                            May 14, 2022 00:40:39.677751064 CEST58749746185.47.152.61192.168.2.3
                                            May 14, 2022 00:40:39.677792072 CEST58749746185.47.152.61192.168.2.3
                                            May 14, 2022 00:40:39.677942991 CEST49746587192.168.2.3185.47.152.61
                                            May 14, 2022 00:40:39.678169012 CEST49746587192.168.2.3185.47.152.61
                                            May 14, 2022 00:40:39.678837061 CEST58749746185.47.152.61192.168.2.3

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            May 14, 2022 00:38:59.641088963 CEST4931653192.168.2.38.8.8.8
                                            May 14, 2022 00:38:59.660692930 CEST53493168.8.8.8192.168.2.3
                                            May 14, 2022 00:39:02.108280897 CEST5641753192.168.2.38.8.8.8
                                            May 14, 2022 00:39:02.127830029 CEST53564178.8.8.8192.168.2.3

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                            May 14, 2022 00:38:59.641088963 CEST192.168.2.38.8.8.80x9f7dStandard query (0)webmail.active.byA (IP address)IN (0x0001)
                                            May 14, 2022 00:39:02.108280897 CEST192.168.2.38.8.8.80xfb9dStandard query (0)webmail.active.byA (IP address)IN (0x0001)

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                            May 14, 2022 00:38:59.660692930 CEST8.8.8.8192.168.2.30x9f7dNo error (0)webmail.active.by185.47.152.61A (IP address)IN (0x0001)
                                            May 14, 2022 00:39:02.127830029 CEST8.8.8.8192.168.2.30xfb9dNo error (0)webmail.active.by185.47.152.61A (IP address)IN (0x0001)

                                            SMTP Packets

                                            TimestampSource PortDest PortSource IPDest IPCommands
                                            May 14, 2022 00:38:59.813838005 CEST58749745185.47.152.61192.168.2.3220 webmail.active.by ESMTP Exim
                                            May 14, 2022 00:38:59.814126968 CEST49745587192.168.2.3185.47.152.61EHLO 760639
                                            May 14, 2022 00:38:59.881213903 CEST58749745185.47.152.61192.168.2.3250-webmail.active.by Hello 760639 [84.17.52.36]
                                            250-SIZE 52428800
                                            250-8BITMIME
                                            250-PIPELINING
                                            250-AUTH PLAIN LOGIN
                                            250-STARTTLS
                                            250 HELP
                                            May 14, 2022 00:38:59.881433010 CEST49745587192.168.2.3185.47.152.61STARTTLS
                                            May 14, 2022 00:38:59.956746101 CEST58749745185.47.152.61192.168.2.3220 TLS go ahead
                                            May 14, 2022 00:39:02.261580944 CEST58749746185.47.152.61192.168.2.3220 webmail.active.by ESMTP Exim
                                            May 14, 2022 00:39:02.261873960 CEST49746587192.168.2.3185.47.152.61EHLO 760639
                                            May 14, 2022 00:39:02.328217030 CEST58749746185.47.152.61192.168.2.3250-webmail.active.by Hello 760639 [84.17.52.36]
                                            250-SIZE 52428800
                                            250-8BITMIME
                                            250-PIPELINING
                                            250-AUTH PLAIN LOGIN
                                            250-STARTTLS
                                            250 HELP
                                            May 14, 2022 00:39:02.328465939 CEST49746587192.168.2.3185.47.152.61STARTTLS
                                            May 14, 2022 00:39:02.404619932 CEST58749746185.47.152.61192.168.2.3220 TLS go ahead

                                            Statistics

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:00:38:33
                                            Start date:14/05/2022
                                            Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe"
                                            Imagebase:0x90000
                                            File size:675840 bytes
                                            MD5 hash:351A6FF6C8AEF2F1F3FCC9CD8C0DFD8E
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.286867007.0000000003710000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.286867007.0000000003710000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.286449493.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.286449493.00000000035EE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.284509153.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low

                                            General

                                            Target ID:4
                                            Start time:00:38:45
                                            Start date:14/05/2022
                                            Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.39649730.16343.exe
                                            Imagebase:0xcb0000
                                            File size:675840 bytes
                                            MD5 hash:351A6FF6C8AEF2F1F3FCC9CD8C0DFD8E
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.272202502.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.272202502.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.272808462.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.272808462.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.510960801.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.510960801.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.273600180.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.273600180.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.274625372.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.274625372.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.513468896.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low

                                            Disassembly

                                            No disassembly