Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
From Richard.exe

Overview

General Information

Sample Name:From Richard.exe
Analysis ID:626543
MD5:fa530d1cf018a5cc8c8215344b09d2f7
SHA1:bbd46bf5bead0b503ce045e5d5a856745bca49b9
SHA256:fe581076f8a8cd90b93b2bca8fde7fa8008c2c1c0962fc0282f785354fcda4a4
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • From Richard.exe (PID: 6432 cmdline: "C:\Users\user\Desktop\From Richard.exe" MD5: FA530D1CF018A5CC8C8215344B09D2F7)
    • From Richard.exe (PID: 6732 cmdline: C:\Users\user\Desktop\From Richard.exe MD5: FA530D1CF018A5CC8C8215344B09D2F7)
    • From Richard.exe (PID: 6740 cmdline: C:\Users\user\Desktop\From Richard.exe MD5: FA530D1CF018A5CC8C8215344B09D2F7)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "btc@imfalert.com", "Password": "dontgiveup@2022", "Host": "mail.imfalert.com"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000000.271694098.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000000.271694098.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000005.00000000.271208855.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000000.271208855.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000005.00000002.508749383.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 14 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.0.From Richard.exe.400000.12.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              5.0.From Richard.exe.400000.12.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                5.0.From Richard.exe.400000.12.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x32b21:$s10: logins
                • 0x32588:$s11: credential
                • 0x2eb72:$g1: get_Clipboard
                • 0x2eb80:$g2: get_Keyboard
                • 0x2eb8d:$g3: get_Password
                • 0x2fe91:$g4: get_CtrlKeyDown
                • 0x2fea1:$g5: get_ShiftKeyDown
                • 0x2feb2:$g6: get_AltKeyDown
                5.2.From Richard.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  5.2.From Richard.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 34 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 5.0.From Richard.exe.400000.12.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "btc@imfalert.com", "Password": "dontgiveup@2022", "Host": "mail.imfalert.com"}
                    Multi AV Scanner detection for submitted file
                    Source: From Richard.exeVirustotal: Detection: 49%Perma Link
                    Source: From Richard.exeReversingLabs: Detection: 46%
                    Machine Learning detection for sample
                    Source: From Richard.exeJoe Sandbox ML: detected
                    Source: 5.0.From Richard.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 5.2.From Richard.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 5.0.From Richard.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 5.0.From Richard.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 5.0.From Richard.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 5.0.From Richard.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: From Richard.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: From Richard.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Joe Sandbox ViewASN Name: 24SHELLSUS 24SHELLSUS
                    Source: global trafficTCP traffic: 192.168.2.3:49747 -> 209.205.209.130:587
                    Source: global trafficTCP traffic: 192.168.2.3:49747 -> 209.205.209.130:587
                    Source: From Richard.exe, 00000005.00000002.510323471.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: From Richard.exe, 00000005.00000002.510323471.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                    Source: From Richard.exe, 00000005.00000002.510099135.000000000164A000.00000004.00000020.00020000.00000000.sdmp, From Richard.exe, 00000005.00000002.511136148.0000000003538000.00000004.00000800.00020000.00000000.sdmp, From Richard.exe, 00000005.00000003.303178584.0000000001676000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: From Richard.exe, 00000005.00000002.510099135.000000000164A000.00000004.00000020.00020000.00000000.sdmp, From Richard.exe, 00000005.00000003.303178584.0000000001676000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: From Richard.exe, 00000005.00000002.510099135.000000000164A000.00000004.00000020.00020000.00000000.sdmp, From Richard.exe, 00000005.00000002.511136148.0000000003538000.00000004.00000800.00020000.00000000.sdmp, From Richard.exe, 00000005.00000003.303178584.0000000001676000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                    Source: From Richard.exe, 00000005.00000002.510099135.000000000164A000.00000004.00000020.00020000.00000000.sdmp, From Richard.exe, 00000005.00000002.511136148.0000000003538000.00000004.00000800.00020000.00000000.sdmp, From Richard.exe, 00000005.00000003.303178584.0000000001676000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                    Source: From Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: From Richard.exe, 00000005.00000002.511136148.0000000003538000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://imfalert.com
                    Source: From Richard.exe, 00000005.00000002.511136148.0000000003538000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.imfalert.com
                    Source: From Richard.exe, 00000005.00000002.510099135.000000000164A000.00000004.00000020.00020000.00000000.sdmp, From Richard.exe, 00000005.00000002.511136148.0000000003538000.00000004.00000800.00020000.00000000.sdmp, From Richard.exe, 00000005.00000003.303178584.0000000001676000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: From Richard.exe, 00000005.00000002.510323471.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://rfVwMD.com
                    Source: From Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmp, From Richard.exe, 00000000.00000003.248894766.00000000062E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: From Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: From Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: From Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: From Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: From Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: From Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: From Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: From Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: From Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: From Richard.exe, 00000000.00000002.281959651.00000000062D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
                    Source: From Richard.exe, 00000000.00000002.281959651.00000000062D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coml1
                    Source: From Richard.exe, 00000000.00000002.281959651.00000000062D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comm
                    Source: From Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: From Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: From Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: From Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: From Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: From Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: From Richard.exe, 00000000.00000003.256001459.000000000630E000.00000004.00000800.00020000.00000000.sdmp, From Richard.exe, 00000000.00000003.256123470.000000000630E000.00000004.00000800.00020000.00000000.sdmp, From Richard.exe, 00000000.00000003.256046813.000000000630E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmfr-fr
                    Source: From Richard.exe, 00000000.00000003.247889234.00000000062D6000.00000004.00000800.00020000.00000000.sdmp, From Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: From Richard.exe, 00000000.00000003.250902150.00000000062D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: From Richard.exe, 00000000.00000003.250902150.00000000062D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-us;
                    Source: From Richard.exe, 00000000.00000003.250902150.00000000062D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/6
                    Source: From Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: From Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: From Richard.exe, 00000000.00000003.247889234.00000000062D6000.00000004.00000800.00020000.00000000.sdmp, From Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: From Richard.exe, 00000000.00000003.247889234.00000000062D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr-
                    Source: From Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmp, From Richard.exe, 00000000.00000003.246948322.00000000062EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: From Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: From Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: From Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: From Richard.exe, 00000005.00000002.511306936.000000000355C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://GJvFKn8SY2mNH.org
                    Source: From Richard.exe, 00000005.00000002.510323471.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                    Source: From Richard.exe, 00000005.00000002.510323471.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%%startupfolder%
                    Source: From Richard.exe, 00000005.00000002.510099135.000000000164A000.00000004.00000020.00020000.00000000.sdmp, From Richard.exe, 00000005.00000002.511136148.0000000003538000.00000004.00000800.00020000.00000000.sdmp, From Richard.exe, 00000005.00000003.303178584.0000000001676000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                    Source: From Richard.exe, 00000005.00000002.510323471.00000000031E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                    Source: unknownDNS traffic detected: queries for: mail.imfalert.com

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Installs a global keyboard hook
                    Source: C:\Users\user\Desktop\From Richard.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\From Richard.exe
                    Source: From Richard.exe, 00000000.00000002.276043133.000000000170A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                    Source: C:\Users\user\Desktop\From Richard.exeWindow created: window name: CLIPBRDWNDCLASS

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 5.0.From Richard.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 5.2.From Richard.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 5.0.From Richard.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 5.0.From Richard.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 5.0.From Richard.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.From Richard.exe.46b62b0.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.From Richard.exe.47058b0.7.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.From Richard.exe.47058b0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 5.0.From Richard.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.From Richard.exe.46b62b0.8.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.From Richard.exe.46b62b0.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.From Richard.exe.467fe90.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.From Richard.exe.467fe90.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                    Source: 0.2.From Richard.exe.34dbc04.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
                    Source: 0.2.From Richard.exe.34e7e50.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
                    Source: 0.2.From Richard.exe.34d49b8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 5.0.From Richard.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007bF135A869u002dBA3Du002d45C8u002dAC34u002dEAAFFB741756u007d/u00336F4C64Fu002d1F76u002d4A10u002dB795u002d9BC0FAEEEC7B.csLarge array initialization: .cctor: array initializer size 11616
                    Source: 5.2.From Richard.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bF135A869u002dBA3Du002d45C8u002dAC34u002dEAAFFB741756u007d/u00336F4C64Fu002d1F76u002d4A10u002dB795u002d9BC0FAEEEC7B.csLarge array initialization: .cctor: array initializer size 11616
                    Source: 5.0.From Richard.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007bF135A869u002dBA3Du002d45C8u002dAC34u002dEAAFFB741756u007d/u00336F4C64Fu002d1F76u002d4A10u002dB795u002d9BC0FAEEEC7B.csLarge array initialization: .cctor: array initializer size 11616
                    Source: 5.0.From Richard.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bF135A869u002dBA3Du002d45C8u002dAC34u002dEAAFFB741756u007d/u00336F4C64Fu002d1F76u002d4A10u002dB795u002d9BC0FAEEEC7B.csLarge array initialization: .cctor: array initializer size 11616
                    Source: From Richard.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 5.0.From Richard.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 5.2.From Richard.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 5.0.From Richard.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 5.0.From Richard.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 5.0.From Richard.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.From Richard.exe.46b62b0.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.From Richard.exe.47058b0.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.From Richard.exe.47058b0.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 5.0.From Richard.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.From Richard.exe.46b62b0.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.From Richard.exe.46b62b0.8.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.From Richard.exe.467fe90.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.From Richard.exe.467fe90.6.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                    Source: 0.2.From Richard.exe.34dbc04.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
                    Source: 0.2.From Richard.exe.34e7e50.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
                    Source: 0.2.From Richard.exe.34d49b8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 0_2_03461308
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 0_2_034612F8
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 0_2_03460950
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 0_2_07D7A3F0
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 0_2_07D702C8
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 0_2_07D702B8
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_0158F080
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_0158F3C8
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_01586120
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_063BBBD8
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_063BC928
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_063B8750
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_063B0040
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_063B1FF8
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_068F5E48
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_068FCE48
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_068F7A28
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_068FDA52
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_068FDCC8
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_068F44F8
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_068F32A8
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: String function: 063B5A58 appears 54 times
                    Source: From Richard.exeBinary or memory string: OriginalFilename vs From Richard.exe
                    Source: From Richard.exe, 00000000.00000002.282489980.0000000007CC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs From Richard.exe
                    Source: From Richard.exe, 00000000.00000002.277272933.0000000003481000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRMysppdAnaltxyBqYXEDchtfFaaYFjGe.exe4 vs From Richard.exe
                    Source: From Richard.exe, 00000000.00000002.276043133.000000000170A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs From Richard.exe
                    Source: From Richard.exe, 00000000.00000002.281354781.00000000045DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRMysppdAnaltxyBqYXEDchtfFaaYFjGe.exe4 vs From Richard.exe
                    Source: From Richard.exe, 00000000.00000002.281354781.00000000045DC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZipAdditionalPlatforms.dllZ vs From Richard.exe
                    Source: From Richard.exeBinary or memory string: OriginalFilename vs From Richard.exe
                    Source: From Richard.exeBinary or memory string: OriginalFilename vs From Richard.exe
                    Source: From Richard.exe, 00000005.00000000.271694098.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRMysppdAnaltxyBqYXEDchtfFaaYFjGe.exe4 vs From Richard.exe
                    Source: From Richard.exe, 00000005.00000002.509928461.000000000159A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs From Richard.exe
                    Source: From Richard.exe, 00000005.00000002.509536424.00000000012F8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs From Richard.exe
                    Source: From Richard.exeBinary or memory string: OriginalFilenamePropertyBuil.exe8 vs From Richard.exe
                    Source: From Richard.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: From Richard.exeVirustotal: Detection: 49%
                    Source: From Richard.exeReversingLabs: Detection: 46%
                    Source: From Richard.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\From Richard.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: unknownProcess created: C:\Users\user\Desktop\From Richard.exe "C:\Users\user\Desktop\From Richard.exe"
                    Source: C:\Users\user\Desktop\From Richard.exeProcess created: C:\Users\user\Desktop\From Richard.exe C:\Users\user\Desktop\From Richard.exe
                    Source: C:\Users\user\Desktop\From Richard.exeProcess created: C:\Users\user\Desktop\From Richard.exe C:\Users\user\Desktop\From Richard.exe
                    Source: C:\Users\user\Desktop\From Richard.exeProcess created: C:\Users\user\Desktop\From Richard.exe C:\Users\user\Desktop\From Richard.exe
                    Source: C:\Users\user\Desktop\From Richard.exeProcess created: C:\Users\user\Desktop\From Richard.exe C:\Users\user\Desktop\From Richard.exe
                    Source: C:\Users\user\Desktop\From Richard.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                    Source: C:\Users\user\Desktop\From Richard.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\From Richard.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\From Richard.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\From Richard.exe.logJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/1@2/1
                    Source: C:\Users\user\Desktop\From Richard.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\From Richard.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: 5.0.From Richard.exe.400000.12.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 5.0.From Richard.exe.400000.12.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 5.2.From Richard.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 5.2.From Richard.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 5.0.From Richard.exe.400000.8.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 5.0.From Richard.exe.400000.8.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Users\user\Desktop\From Richard.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\From Richard.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\From Richard.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\From Richard.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                    Source: C:\Users\user\Desktop\From Richard.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: From Richard.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: From Richard.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: From Richard.exe, Main.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "5370617273656C79506F70756C617465644172", "33523545", "TexasHoldem" } }, null, null)
                    Source: 0.0.From Richard.exe.fc0000.0.unpack, Main.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "5370617273656C79506F70756C617465644172", "33523545", "TexasHoldem" } }, null, null)
                    Source: 0.2.From Richard.exe.fc0000.0.unpack, Main.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "5370617273656C79506F70756C617465644172", "33523545", "TexasHoldem" } }, null, null)
                    Source: 4.0.From Richard.exe.340000.3.unpack, Main.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "5370617273656C79506F70756C617465644172", "33523545", "TexasHoldem" } }, null, null)
                    Source: 4.0.From Richard.exe.340000.0.unpack, Main.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "5370617273656C79506F70756C617465644172", "33523545", "TexasHoldem" } }, null, null)
                    Source: 4.0.From Richard.exe.340000.2.unpack, Main.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "5370617273656C79506F70756C617465644172", "33523545", "TexasHoldem" } }, null, null)
                    Source: 4.0.From Richard.exe.340000.1.unpack, Main.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "5370617273656C79506F70756C617465644172", "33523545", "TexasHoldem" } }, null, null)
                    Source: 4.2.From Richard.exe.340000.0.unpack, Main.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "5370617273656C79506F70756C617465644172", "33523545", "TexasHoldem" } }, null, null)
                    Source: 5.0.From Richard.exe.ec0000.7.unpack, Main.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "5370617273656C79506F70756C617465644172", "33523545", "TexasHoldem" } }, null, null)
                    Source: 5.0.From Richard.exe.ec0000.0.unpack, Main.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "5370617273656C79506F70756C617465644172", "33523545", "TexasHoldem" } }, null, null)
                    Source: 5.0.From Richard.exe.ec0000.13.unpack, Main.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "5370617273656C79506F70756C617465644172", "33523545", "TexasHoldem" } }, null, null)
                    Source: 5.0.From Richard.exe.ec0000.2.unpack, Main.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "5370617273656C79506F70756C617465644172", "33523545", "TexasHoldem" } }, null, null)
                    Source: 5.0.From Richard.exe.ec0000.1.unpack, Main.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "5370617273656C79506F70756C617465644172", "33523545", "TexasHoldem" } }, null, null)
                    Source: 5.0.From Richard.exe.ec0000.3.unpack, Main.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "5370617273656C79506F70756C617465644172", "33523545", "TexasHoldem" } }, null, null)
                    Source: 5.0.From Richard.exe.ec0000.9.unpack, Main.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "5370617273656C79506F70756C617465644172", "33523545", "TexasHoldem" } }, null, null)
                    Source: 5.2.From Richard.exe.ec0000.1.unpack, Main.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "5370617273656C79506F70756C617465644172", "33523545", "TexasHoldem" } }, null, null)
                    Source: 5.0.From Richard.exe.ec0000.11.unpack, Main.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, new object[] { "5370617273656C79506F70756C617465644172", "33523545", "TexasHoldem" } }, null, null)
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_068F178F push es; ret
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_068F1783 push es; ret
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_068F179B push es; ret
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_068F17A1 push es; ret
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_068F17B9 push es; ret
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_068F17D1 push es; ret
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_068F17EB push es; ret
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_068F177B push es; ret
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_068F25DD push E9017AD0h; retn 0006h
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_068F2520 push edi; ret
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_068F32A8 push es; iretd
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_068F32A8 push es; iretd
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_068F40B1 push es; iretd
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_068F18DD push es; ret
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_068F181B push es; ret
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_068F1817 push es; ret
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_068F1827 push es; ret
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_068F1833 push es; ret
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_068F1867 push es; ret
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_068F187F push es; ret
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_068F1873 push es; ret
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_068F41D9 push es; iretd
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_068F41D1 push es; iretd
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_068F2177 push edi; retn 0000h
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.90632247255
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: 0.2.From Richard.exe.34dbc04.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.From Richard.exe.34e7e50.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.From Richard.exe.34d49b8.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.277272933.0000000003481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: From Richard.exe PID: 6432, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: From Richard.exe, 00000000.00000002.277272933.0000000003481000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: From Richard.exe, 00000000.00000002.277272933.0000000003481000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\From Richard.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\From Richard.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\From Richard.exe TID: 6436Thread sleep time: -45733s >= -30000s
                    Source: C:\Users\user\Desktop\From Richard.exe TID: 6904Thread sleep time: -15679732462653109s >= -30000s
                    Source: C:\Users\user\Desktop\From Richard.exe TID: 6920Thread sleep count: 4317 > 30
                    Source: C:\Users\user\Desktop\From Richard.exe TID: 6920Thread sleep count: 4754 > 30
                    Source: C:\Users\user\Desktop\From Richard.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\From Richard.exeWindow / User API: threadDelayed 4317
                    Source: C:\Users\user\Desktop\From Richard.exeWindow / User API: threadDelayed 4754
                    Source: C:\Users\user\Desktop\From Richard.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\From Richard.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\From Richard.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\From Richard.exeThread delayed: delay time: 45733
                    Source: C:\Users\user\Desktop\From Richard.exeThread delayed: delay time: 922337203685477
                    Source: From Richard.exe, 00000000.00000002.277272933.0000000003481000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: From Richard.exe, 00000000.00000002.277272933.0000000003481000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: From Richard.exe, 00000000.00000002.277272933.0000000003481000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: From Richard.exe, 00000005.00000002.510099135.000000000164A000.00000004.00000020.00020000.00000000.sdmp, From Richard.exe, 00000005.00000003.303178584.0000000001676000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: From Richard.exe, 00000000.00000002.277272933.0000000003481000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                    Source: C:\Users\user\Desktop\From Richard.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\From Richard.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\From Richard.exeCode function: 5_2_063BFA48 LdrInitializeThunk,
                    Source: C:\Users\user\Desktop\From Richard.exeMemory allocated: page read and write | page guard
                    Source: C:\Users\user\Desktop\From Richard.exeProcess created: C:\Users\user\Desktop\From Richard.exe C:\Users\user\Desktop\From Richard.exe
                    Source: C:\Users\user\Desktop\From Richard.exeProcess created: C:\Users\user\Desktop\From Richard.exe C:\Users\user\Desktop\From Richard.exe
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Users\user\Desktop\From Richard.exe VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Users\user\Desktop\From Richard.exe VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\From Richard.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 5.0.From Richard.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.From Richard.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.From Richard.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.From Richard.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.From Richard.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.From Richard.exe.46b62b0.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.From Richard.exe.47058b0.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.From Richard.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.From Richard.exe.46b62b0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.From Richard.exe.467fe90.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000000.271694098.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.271208855.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.508749383.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.270510923.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.270879293.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.281354781.00000000045DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.510323471.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: From Richard.exe PID: 6432, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: From Richard.exe PID: 6740, type: MEMORYSTR
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\From Richard.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\Desktop\From Richard.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\Desktop\From Richard.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: C:\Users\user\Desktop\From Richard.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\From Richard.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\From Richard.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                    Source: C:\Users\user\Desktop\From Richard.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\From Richard.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\Desktop\From Richard.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: Yara matchFile source: 00000005.00000002.510323471.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: From Richard.exe PID: 6740, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 5.0.From Richard.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.From Richard.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.From Richard.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.From Richard.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.From Richard.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.From Richard.exe.46b62b0.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.From Richard.exe.47058b0.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.From Richard.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.From Richard.exe.46b62b0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.From Richard.exe.467fe90.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000000.271694098.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.271208855.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.508749383.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.270510923.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.270879293.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.281354781.00000000045DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.510323471.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: From Richard.exe PID: 6432, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: From Richard.exe PID: 6740, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		Path Interception11
                    Process Injection                    		1
                    Masquerading                    		2
                    OS Credential Dumping                    		211
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Disable or Modify Tools                    		111
                    Input Capture                    		1
                    Process Discovery                    		Remote Desktop Protocol111
                    Input Capture                    		Exfiltration Over Bluetooth1
                    Non-Standard Port                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)131
                    Virtualization/Sandbox Evasion                    		1
                    Credentials in Registry                    		131
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares11
                    Archive Collected Data                    		Automated Exfiltration1
                    Non-Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object Model2
                    Data from Local System                    		Scheduled Transfer11
                    Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    Remote System Discovery                    		SSH1
                    Clipboard Data                    		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common3
                    Obfuscated Files or Information                    		Cached Domain Credentials114
                    System Information Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items13
                    Software Packing                    		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    From Richard.exe49%VirustotalBrowse
                    From Richard.exe46%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    From Richard.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    5.0.From Richard.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    5.2.From Richard.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    5.0.From Richard.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    5.0.From Richard.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    5.0.From Richard.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                    5.0.From Richard.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    SourceDetectionScannerLabelLink
                    imfalert.com0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    https://sectigo.com/CPS00%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                    http://www.sandoll.co.kr-0%Avira URL Cloudsafe
                    http://www.tiro.com0%URL Reputationsafe
                    https://api.ipify.org%%startupfolder%0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/jp/60%URL Reputationsafe
                    http://www.fontbureau.coma0%URL Reputationsafe
                    http://www.fontbureau.coml10%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/-us;0%Avira URL Cloudsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://imfalert.com0%Avira URL Cloudsafe
                    http://mail.imfalert.com0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://rfVwMD.com0%Avira URL Cloudsafe
                    http://www.galapagosdesign.com/staff/dennis.htmfr-fr0%Avira URL Cloudsafe
                    http://www.fontbureau.comm0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    https://GJvFKn8SY2mNH.org0%Avira URL Cloudsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    https://api.ipify.org%0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    imfalert.com
                    		209.205.209.130
                    		truetrueunknown
                    mail.imfalert.com
                    		unknown
                    		unknowntrue
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1From Richard.exe, 00000005.00000002.510323471.00000000031E1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://www.apache.org/licenses/LICENSE-2.0From Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmp, From Richard.exe, 00000000.00000003.248894766.00000000062E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.comFrom Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersGFrom Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://sectigo.com/CPS0From Richard.exe, 00000005.00000002.510099135.000000000164A000.00000004.00000020.00020000.00000000.sdmp, From Richard.exe, 00000005.00000002.511136148.0000000003538000.00000004.00000800.00020000.00000000.sdmp, From Richard.exe, 00000005.00000003.303178584.0000000001676000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/?From Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bTheFrom Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers?From Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwFrom Richard.exe, 00000005.00000002.510323471.00000000031E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sandoll.co.kr-From Richard.exe, 00000000.00000003.247889234.00000000062D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		low
                                http://www.tiro.comFrom Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmp, From Richard.exe, 00000000.00000003.246948322.00000000062EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersFrom Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://api.ipify.org%%startupfolder%From Richard.exe, 00000005.00000002.510323471.00000000031E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		low
                                  http://www.goodfont.co.krFrom Richard.exe, 00000000.00000003.247889234.00000000062D6000.00000004.00000800.00020000.00000000.sdmp, From Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/jp/6From Richard.exe, 00000000.00000003.250902150.00000000062D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comaFrom Richard.exe, 00000000.00000002.281959651.00000000062D0000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.coml1From Richard.exe, 00000000.00000002.281959651.00000000062D0000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comlFrom Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/-us;From Richard.exe, 00000000.00000003.250902150.00000000062D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.sajatypeworks.comFrom Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDFrom Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNFrom Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/cTheFrom Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmFrom Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comFrom Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://imfalert.comFrom Richard.exe, 00000005.00000002.511136148.0000000003538000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://mail.imfalert.comFrom Richard.exe, 00000005.00000002.511136148.0000000003538000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.founder.com.cn/cnFrom Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://rfVwMD.comFrom Richard.exe, 00000005.00000002.510323471.00000000031E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-jones.htmlFrom Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.galapagosdesign.com/staff/dennis.htmfr-frFrom Richard.exe, 00000000.00000003.256001459.000000000630E000.00000004.00000800.00020000.00000000.sdmp, From Richard.exe, 00000000.00000003.256123470.000000000630E000.00000004.00000800.00020000.00000000.sdmp, From Richard.exe, 00000000.00000003.256046813.000000000630E000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fontbureau.commFrom Richard.exe, 00000000.00000002.281959651.00000000062D0000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/From Richard.exe, 00000000.00000003.250902150.00000000062D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://DynDns.comDynDNSnamejidpasswordPsi/PsiFrom Richard.exe, 00000005.00000002.510323471.00000000031E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/DPleaseFrom Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers8From Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fonts.comFrom Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krFrom Richard.exe, 00000000.00000003.247889234.00000000062D6000.00000004.00000800.00020000.00000000.sdmp, From Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://GJvFKn8SY2mNH.orgFrom Richard.exe, 00000005.00000002.511306936.000000000355C000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.urwpp.deDPleaseFrom Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cnFrom Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sakkal.comFrom Richard.exe, 00000000.00000002.282112351.00000000074E2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://api.ipify.org%From Richard.exe, 00000005.00000002.510323471.00000000031E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		low

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          209.205.209.130
                                          		imfalert.comUnited States
                                          		5508124SHELLSUStrue

                                          General Information

                                          Joe Sandbox Version:34.0.0 Boulder Opal
                                          Analysis ID:626543
                                          Start date and time: 14/05/202211:57:102022-05-14 11:57:10 +02:00
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 10m 43s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:From Richard.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:26
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winEXE@5/1@2/1
                                          EGA Information:
                                          • Successful, ratio: 66.7%
                                          HDC Information:
                                          • Successful, ratio: 0.1% (good quality ratio 0%)
                                          • Quality average: 33.6%
                                          • Quality standard deviation: 27.4%
                                          HCA Information:
                                          • Successful, ratio: 97%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe
                                          • Adjust boot time
                                          • Enable AMSI

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                          • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, settings-win.data.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                          • Execution Graph export aborted for target From Richard.exe, PID 6732 because there are no executed function
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          11:58:18API Interceptor725x Sleep call for process: From Richard.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          No context

                                          Domains

                                          No context

                                          ASNs

                                          No context

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\From Richard.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\From Richard.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1308
                                          Entropy (8bit):5.345811588615766
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4FsXE8:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHJ
                                          MD5:EA78C102145ED608EF0E407B978AF339
                                          SHA1:66C9179ED9675B9271A97AB1FC878077E09AB731
                                          SHA-256:8BF01E0C445BD07C0B4EDC7199B7E17DAF1CA55CA52D4A6EAC4EF211C2B1A73E
                                          SHA-512:8C04139A1FC3C3BDACB680EC443615A43EB18E73B5A0CFCA644CB4A5E71746B275B3E238DD1A5A205405313E457BB75F9BBB93277C67AFA5D78DCFA30E5DA02B
                                          Malicious:true
                                          Reputation:moderate, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.897267979651854
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:From Richard.exe
                                          File size:550912
                                          MD5:fa530d1cf018a5cc8c8215344b09d2f7
                                          SHA1:bbd46bf5bead0b503ce045e5d5a856745bca49b9
                                          SHA256:fe581076f8a8cd90b93b2bca8fde7fa8008c2c1c0962fc0282f785354fcda4a4
                                          SHA512:1ca23c746e0f98a384e2bc0842c773af9bb9bcac2c2bc2d2b38ebc870f0ea49466957fb1d0661fe5f7ecc3169857e9b250960eed9d222e9612b6f4d5818ffb7f
                                          SSDEEP:12288:IhWQ1JN/HRCakerytvcHi9sS2Q7oY4J/DP:UWQ1JpRCs20Hid2Qob9
                                          TLSH:0BC4122932F47B66E8BB9BFC42B4300503F5662B3111F3AE9DC520DB6A65F540741EAB
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....}b..............0..^...........}... ........@.. ....................................@................................

                                          File Icon

                                          Icon Hash:00828e8e8686b000

                                          Static PE Info

                                          General

                                          Entrypoint:0x487d82
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                          Time Stamp:0x627DCBA3 [Fri May 13 03:08:19 2022 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:v4.0.30319
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x87d300x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x880000x5c4.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x8a0000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000x85d880x85e00False0.930996877918data7.90632247255IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rsrc0x880000x5c40x600False0.424479166667data4.122031579IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x8a0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_VERSION0x880900x334data
                                          RT_MANIFEST0x883d40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Version Infos

                                          DescriptionData
                                          Translation0x0000 0x04b0
                                          LegalCopyrightCopyright 2017
                                          Assembly Version1.0.0.0
                                          InternalNamePropertyBuil.exe
                                          FileVersion1.0.0.0
                                          CompanyName
                                          LegalTrademarks
                                          Comments
                                          ProductNameTexasHoldem
                                          ProductVersion1.0.0.0
                                          FileDescriptionTexasHoldem
                                          OriginalFilenamePropertyBuil.exe

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          May 14, 2022 11:58:36.338269949 CEST49747587192.168.2.3209.205.209.130
                                          May 14, 2022 11:58:36.441176891 CEST58749747209.205.209.130192.168.2.3
                                          May 14, 2022 11:58:36.441324949 CEST49747587192.168.2.3209.205.209.130
                                          May 14, 2022 11:58:36.595638990 CEST58749747209.205.209.130192.168.2.3
                                          May 14, 2022 11:58:36.598819971 CEST49747587192.168.2.3209.205.209.130
                                          May 14, 2022 11:58:36.702187061 CEST58749747209.205.209.130192.168.2.3
                                          May 14, 2022 11:58:36.702584982 CEST49747587192.168.2.3209.205.209.130
                                          May 14, 2022 11:58:36.807768106 CEST58749747209.205.209.130192.168.2.3
                                          May 14, 2022 11:58:36.865362883 CEST49747587192.168.2.3209.205.209.130
                                          May 14, 2022 11:58:36.974081039 CEST58749747209.205.209.130192.168.2.3
                                          May 14, 2022 11:58:36.974169016 CEST58749747209.205.209.130192.168.2.3
                                          May 14, 2022 11:58:36.974215984 CEST58749747209.205.209.130192.168.2.3
                                          May 14, 2022 11:58:36.974255085 CEST58749747209.205.209.130192.168.2.3
                                          May 14, 2022 11:58:36.974255085 CEST49747587192.168.2.3209.205.209.130
                                          May 14, 2022 11:58:36.974313021 CEST49747587192.168.2.3209.205.209.130
                                          May 14, 2022 11:58:36.975522995 CEST58749747209.205.209.130192.168.2.3
                                          May 14, 2022 11:58:37.028873920 CEST49747587192.168.2.3209.205.209.130
                                          May 14, 2022 11:58:37.132056952 CEST58749747209.205.209.130192.168.2.3
                                          May 14, 2022 11:58:37.225039959 CEST49747587192.168.2.3209.205.209.130
                                          May 14, 2022 11:58:37.328228951 CEST58749747209.205.209.130192.168.2.3
                                          May 14, 2022 11:58:37.332756996 CEST49747587192.168.2.3209.205.209.130
                                          May 14, 2022 11:58:37.436261892 CEST58749747209.205.209.130192.168.2.3
                                          May 14, 2022 11:58:37.469553947 CEST49747587192.168.2.3209.205.209.130
                                          May 14, 2022 11:58:37.588709116 CEST58749747209.205.209.130192.168.2.3
                                          May 14, 2022 11:58:37.606544971 CEST49747587192.168.2.3209.205.209.130
                                          May 14, 2022 11:58:37.709552050 CEST58749747209.205.209.130192.168.2.3
                                          May 14, 2022 11:58:37.712232113 CEST49747587192.168.2.3209.205.209.130
                                          May 14, 2022 11:58:37.825894117 CEST58749747209.205.209.130192.168.2.3
                                          May 14, 2022 11:58:37.876655102 CEST49747587192.168.2.3209.205.209.130
                                          May 14, 2022 11:58:37.979805946 CEST58749747209.205.209.130192.168.2.3
                                          May 14, 2022 11:58:37.981095076 CEST49747587192.168.2.3209.205.209.130
                                          May 14, 2022 11:58:37.981161118 CEST49747587192.168.2.3209.205.209.130
                                          May 14, 2022 11:58:37.981924057 CEST49747587192.168.2.3209.205.209.130
                                          May 14, 2022 11:58:37.982029915 CEST49747587192.168.2.3209.205.209.130
                                          May 14, 2022 11:58:38.084068060 CEST58749747209.205.209.130192.168.2.3
                                          May 14, 2022 11:58:38.084152937 CEST58749747209.205.209.130192.168.2.3
                                          May 14, 2022 11:58:38.084671021 CEST58749747209.205.209.130192.168.2.3
                                          May 14, 2022 11:58:38.084703922 CEST58749747209.205.209.130192.168.2.3
                                          May 14, 2022 11:58:38.093137980 CEST58749747209.205.209.130192.168.2.3
                                          May 14, 2022 11:58:38.136451006 CEST49747587192.168.2.3209.205.209.130
                                          May 14, 2022 12:00:15.973247051 CEST49747587192.168.2.3209.205.209.130
                                          May 14, 2022 12:00:16.117870092 CEST58749747209.205.209.130192.168.2.3
                                          May 14, 2022 12:00:16.405720949 CEST58749747209.205.209.130192.168.2.3
                                          May 14, 2022 12:00:16.407898903 CEST49747587192.168.2.3209.205.209.130

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          May 14, 2022 11:58:36.054285049 CEST5592353192.168.2.38.8.8.8
                                          May 14, 2022 11:58:36.157443047 CEST53559238.8.8.8192.168.2.3
                                          May 14, 2022 11:58:36.216921091 CEST5772353192.168.2.38.8.8.8
                                          May 14, 2022 11:58:36.318223953 CEST53577238.8.8.8192.168.2.3

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          May 14, 2022 11:58:36.054285049 CEST192.168.2.38.8.8.80x7825Standard query (0)mail.imfalert.comA (IP address)IN (0x0001)
                                          May 14, 2022 11:58:36.216921091 CEST192.168.2.38.8.8.80x7190Standard query (0)mail.imfalert.comA (IP address)IN (0x0001)

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          May 14, 2022 11:58:36.157443047 CEST8.8.8.8192.168.2.30x7825No error (0)mail.imfalert.comimfalert.comCNAME (Canonical name)IN (0x0001)
                                          May 14, 2022 11:58:36.157443047 CEST8.8.8.8192.168.2.30x7825No error (0)imfalert.com209.205.209.130A (IP address)IN (0x0001)
                                          May 14, 2022 11:58:36.318223953 CEST8.8.8.8192.168.2.30x7190No error (0)mail.imfalert.comimfalert.comCNAME (Canonical name)IN (0x0001)
                                          May 14, 2022 11:58:36.318223953 CEST8.8.8.8192.168.2.30x7190No error (0)imfalert.com209.205.209.130A (IP address)IN (0x0001)

                                          SMTP Packets

                                          TimestampSource PortDest PortSource IPDest IPCommands
                                          May 14, 2022 11:58:36.595638990 CEST58749747209.205.209.130192.168.2.3220-standard8.doveserver.com ESMTP Exim 4.95 #2 Sat, 14 May 2022 10:58:36 +0100
                                          220-We do not authorize the use of this system to transport unsolicited,
                                          220 and/or bulk e-mail.
                                          May 14, 2022 11:58:36.598819971 CEST49747587192.168.2.3209.205.209.130EHLO 585948
                                          May 14, 2022 11:58:36.702187061 CEST58749747209.205.209.130192.168.2.3250-standard8.doveserver.com Hello 585948 [102.129.143.55]
                                          250-SIZE 52428800
                                          250-8BITMIME
                                          250-PIPELINING
                                          250-PIPE_CONNECT
                                          250-STARTTLS
                                          250 HELP
                                          May 14, 2022 11:58:36.702584982 CEST49747587192.168.2.3209.205.209.130STARTTLS
                                          May 14, 2022 11:58:36.807768106 CEST58749747209.205.209.130192.168.2.3220 TLS go ahead

                                          Statistics

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:11:58:10
                                          Start date:14/05/2022
                                          Path:C:\Users\user\Desktop\From Richard.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\From Richard.exe"
                                          Imagebase:0xfc0000
                                          File size:550912 bytes
                                          MD5 hash:FA530D1CF018A5CC8C8215344B09D2F7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.277272933.0000000003481000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.281354781.00000000045DC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.281354781.00000000045DC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low

                                          General

                                          Target ID:4
                                          Start time:11:58:20
                                          Start date:14/05/2022
                                          Path:C:\Users\user\Desktop\From Richard.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Users\user\Desktop\From Richard.exe
                                          Imagebase:0x340000
                                          File size:550912 bytes
                                          MD5 hash:FA530D1CF018A5CC8C8215344B09D2F7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low

                                          General

                                          Target ID:5
                                          Start time:11:58:22
                                          Start date:14/05/2022
                                          Path:C:\Users\user\Desktop\From Richard.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\Desktop\From Richard.exe
                                          Imagebase:0xec0000
                                          File size:550912 bytes
                                          MD5 hash:FA530D1CF018A5CC8C8215344B09D2F7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.271694098.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.271694098.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.271208855.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.271208855.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.508749383.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.508749383.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.270510923.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.270510923.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.270879293.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.270879293.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.510323471.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.510323471.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low

                                          Disassembly

                                          No disassembly