Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
INV00987890.exe

Overview

General Information

Sample Name:INV00987890.exe
Analysis ID:635170
MD5:fe5cab253ef5708d03dd6970e105b6c6
SHA1:d7d0ba487169c56e33e92064b482c2d56d5dba5e
SHA256:80f5923e2037f3596f2bebec849a1a55221c37c714d14eca6bdd35e12351ec7d
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains very large array initializations
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Drops certificate files (DER)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • INV00987890.exe (PID: 6468 cmdline: "C:\Users\user\Desktop\INV00987890.exe" MD5: FE5CAB253EF5708D03DD6970E105B6C6)
    • INV00987890.exe (PID: 6764 cmdline: {path} MD5: FE5CAB253EF5708D03DD6970E105B6C6)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "info@maviksel.com", "Password": "Ravi/1970", "Host": "mail.maviksel.com"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.526824095.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000002.526824095.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000004.00000000.295217525.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000004.00000000.295217525.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000004.00000000.296078130.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 13 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.0.INV00987890.exe.400000.10.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              4.0.INV00987890.exe.400000.10.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                4.0.INV00987890.exe.400000.10.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                • 0x32cab:$s10: logins
                • 0x32712:$s11: credential
                • 0x2ecd3:$g1: get_Clipboard
                • 0x2ece1:$g2: get_Keyboard
                • 0x2ecee:$g3: get_Password
                • 0x2ffeb:$g4: get_CtrlKeyDown
                • 0x2fffb:$g5: get_ShiftKeyDown
                • 0x3000c:$g6: get_AltKeyDown
                4.0.INV00987890.exe.400000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  4.0.INV00987890.exe.400000.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    Click to see the 22 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 4.0.INV00987890.exe.400000.12.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "info@maviksel.com", "Password": "Ravi/1970", "Host": "mail.maviksel.com"}
                    Multi AV Scanner detection for submitted file
                    Source: INV00987890.exeVirustotal: Detection: 30%Perma Link
                    Source: INV00987890.exeReversingLabs: Detection: 26%
                    Machine Learning detection for sample
                    Source: INV00987890.exeJoe Sandbox ML: detected
                    Source: 4.0.INV00987890.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.INV00987890.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.2.INV00987890.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.INV00987890.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.INV00987890.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 4.0.INV00987890.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: INV00987890.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: INV00987890.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                    Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                    Source: Joe Sandbox ViewIP Address: 162.215.253.210 162.215.253.210
                    Source: Joe Sandbox ViewIP Address: 162.215.253.210 162.215.253.210
                    Source: global trafficTCP traffic: 192.168.2.3:49753 -> 162.215.253.210:587
                    Source: global trafficTCP traffic: 192.168.2.3:49753 -> 162.215.253.210:587
                    Source: INV00987890.exe, 00000004.00000002.529292759.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: INV00987890.exe, 00000004.00000002.529292759.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
                    Source: INV00987890.exe, 00000004.00000002.529292759.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://NEjfKK.com
                    Source: INV00987890.exe, 00000004.00000002.531118006.00000000034D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                    Source: 77EC63BDA74BD0D0E0426DC8F80085060.4.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                    Source: INV00987890.exe, 00000004.00000003.346614551.0000000006A69000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?dfa321c85cb10
                    Source: INV00987890.exe, 00000000.00000003.265410217.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: INV00987890.exe, 00000004.00000002.531118006.00000000034D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.maviksel.com
                    Source: INV00987890.exe, 00000004.00000002.531118006.00000000034D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maviksel.com
                    Source: INV00987890.exe, 00000004.00000002.531118006.00000000034D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                    Source: INV00987890.exe, 00000004.00000002.531118006.00000000034D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
                    Source: INV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: INV00987890.exe, 00000000.00000003.271107327.00000000053DD000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.270816122.00000000053DD000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.270557812.00000000053DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
                    Source: INV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: INV00987890.exe, 00000000.00000003.276313639.00000000053D9000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000002.308767318.00000000053D0000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.298547621.00000000053D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: INV00987890.exe, 00000000.00000003.278527778.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.278472905.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.281901697.0000000005402000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.279181554.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.280387812.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.281286258.000000000540D000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.280312610.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.278741035.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.281875487.00000000053FF000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.278224495.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.280120374.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.279720695.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.278188080.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.278682189.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.279603178.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.278155597.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.278710128.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.279112580.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.278278704.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.279325032.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.281707943.000000000540D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/de
                    Source: INV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: INV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: INV00987890.exe, 00000000.00000003.275437800.0000000005405000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                    Source: INV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: INV00987890.exe, 00000000.00000003.276526018.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.275998575.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.277261918.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.276292788.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.277989711.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.276145647.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.275621528.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.276978947.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.277921796.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.277735473.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.276553761.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.275946542.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.276699756.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.277295426.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.275437800.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.277761576.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.276877803.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.275842686.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.275718248.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.275888860.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.276098140.0000000005405000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlp
                    Source: INV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: INV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: INV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: INV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: INV00987890.exe, 00000000.00000003.276313639.00000000053D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF
                    Source: INV00987890.exe, 00000000.00000002.308767318.00000000053D0000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.298547621.00000000053D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comM
                    Source: INV00987890.exe, 00000000.00000002.308767318.00000000053D0000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.298547621.00000000053D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.coma
                    Source: INV00987890.exe, 00000000.00000003.276313639.00000000053D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalic
                    Source: INV00987890.exe, 00000000.00000003.276313639.00000000053D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalsdw
                    Source: INV00987890.exe, 00000000.00000003.274943515.00000000053D9000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.276313639.00000000053D9000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.275367663.00000000053DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comcom
                    Source: INV00987890.exe, 00000000.00000003.276313639.00000000053D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comd
                    Source: INV00987890.exe, 00000000.00000003.274943515.00000000053D9000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.275367663.00000000053DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdw
                    Source: INV00987890.exe, 00000000.00000003.273991474.00000000053D8000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.274943515.00000000053D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comeM
                    Source: INV00987890.exe, 00000000.00000003.274943515.00000000053D9000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.276313639.00000000053D9000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.275367663.00000000053DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.commn
                    Source: INV00987890.exe, 00000000.00000003.274943515.00000000053D9000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.275367663.00000000053DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comueta
                    Source: INV00987890.exe, 00000000.00000003.265029682.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.264949600.00000000053EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: INV00987890.exe, 00000000.00000003.265099327.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.265126207.00000000053EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comic
                    Source: INV00987890.exe, 00000000.00000003.265029682.00000000053EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comnr2
                    Source: INV00987890.exe, 00000000.00000003.265029682.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.264949600.00000000053EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.comnte
                    Source: INV00987890.exe, 00000000.00000003.267436367.00000000053D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.c
                    Source: INV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.267409325.000000000540D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: INV00987890.exe, 00000000.00000003.267836467.00000000053D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
                    Source: INV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: INV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: INV00987890.exe, 00000000.00000003.267409325.000000000540D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnR
                    Source: INV00987890.exe, 00000000.00000003.267836467.00000000053D4000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.267986661.00000000053DB000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.267436367.00000000053D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnk
                    Source: INV00987890.exe, 00000000.00000003.267409325.000000000540D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cns-m
                    Source: INV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: INV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: INV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: INV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: INV00987890.exe, 00000000.00000003.264890640.00000000053EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: INV00987890.exe, 00000000.00000003.265029682.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.265085729.00000000053F4000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.264743780.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.264685681.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.264814672.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.264852176.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.264630003.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.264949600.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.264890640.00000000053EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.coma-d%
                    Source: INV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: INV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.266564650.00000000053D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: INV00987890.exe, 00000000.00000003.266564650.00000000053D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.krati
                    Source: INV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: INV00987890.exe, 00000000.00000003.265410217.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.265488221.00000000053EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.comA
                    Source: INV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: INV00987890.exe, 00000000.00000003.276313639.00000000053D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de
                    Source: INV00987890.exe, 00000000.00000003.276313639.00000000053D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.de.
                    Source: INV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: INV00987890.exe, 00000000.00000003.276313639.00000000053D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.dem
                    Source: INV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: INV00987890.exe, 00000004.00000002.531118006.00000000034D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: 2D85F72862B55C4EADD9E66E06947F3D0.4.drString found in binary or memory: http://x1.i.lencr.org/
                    Source: INV00987890.exe, 00000004.00000002.531118006.00000000034D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: INV00987890.exe, 00000004.00000002.531371637.00000000034F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://BJANwyE880kOV.net
                    Source: INV00987890.exe, 00000004.00000003.317448459.00000000014C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://BJANwyE880kOV.net853321935-2125563209-4053062332-1002_Classes
                    Source: INV00987890.exe, 00000004.00000002.529292759.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%
                    Source: INV00987890.exe, 00000004.00000002.529292759.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%%startupfolder%
                    Source: INV00987890.exe, 00000004.00000002.529292759.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
                    Source: unknownDNS traffic detected: queries for: mail.maviksel.com
                    Source: C:\Users\user\Desktop\INV00987890.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3DJump to dropped file

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Modifies the hosts file
                    Source: C:\Users\user\Desktop\INV00987890.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 4.0.INV00987890.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.INV00987890.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.INV00987890.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.INV00987890.exe.3599a00.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.INV00987890.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.INV00987890.exe.3553fa0.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.2.INV00987890.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.0.INV00987890.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 0.2.INV00987890.exe.3553fa0.3.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 4.0.INV00987890.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007b9D560B71u002d2988u002d400Cu002d92B2u002d2C1BD4F0ACA8u007d/D737A0A3u002d8909u002d437Bu002d9EF9u002d27AF18FE1A5A.csLarge array initialization: .cctor: array initializer size 11666
                    Source: 4.0.INV00987890.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007b9D560B71u002d2988u002d400Cu002d92B2u002d2C1BD4F0ACA8u007d/D737A0A3u002d8909u002d437Bu002d9EF9u002d27AF18FE1A5A.csLarge array initialization: .cctor: array initializer size 11666
                    Source: 4.2.INV00987890.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b9D560B71u002d2988u002d400Cu002d92B2u002d2C1BD4F0ACA8u007d/D737A0A3u002d8909u002d437Bu002d9EF9u002d27AF18FE1A5A.csLarge array initialization: .cctor: array initializer size 11666
                    Source: 4.0.INV00987890.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007b9D560B71u002d2988u002d400Cu002d92B2u002d2C1BD4F0ACA8u007d/D737A0A3u002d8909u002d437Bu002d9EF9u002d27AF18FE1A5A.csLarge array initialization: .cctor: array initializer size 11666
                    Source: 4.0.INV00987890.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007b9D560B71u002d2988u002d400Cu002d92B2u002d2C1BD4F0ACA8u007d/D737A0A3u002d8909u002d437Bu002d9EF9u002d27AF18FE1A5A.csLarge array initialization: .cctor: array initializer size 11666
                    Source: INV00987890.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 4.0.INV00987890.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.INV00987890.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.INV00987890.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.INV00987890.exe.3599a00.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.INV00987890.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.INV00987890.exe.3553fa0.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.2.INV00987890.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.0.INV00987890.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 0.2.INV00987890.exe.3553fa0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 0_2_0016A11D
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 0_2_0232E560
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 0_2_0232E550
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 0_2_0232BCD4
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 0_2_04440346
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 0_2_0016644E
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_00E3A11D
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_016EF378
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_016EF6C0
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_016E6563
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_0698AFF4
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_0698F8B8
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_06985430
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_0698D9E0
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_069832A8
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_069CE0F0
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_069C8580
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_069CE08C
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_069C9458
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_069C0390
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_069C93A8
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_069CCFD8
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_00E3644E
                    Source: INV00987890.exeBinary or memory string: OriginalFilename vs INV00987890.exe
                    Source: INV00987890.exe, 00000000.00000002.309658003.0000000006D60000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs INV00987890.exe
                    Source: INV00987890.exe, 00000000.00000002.301301141.0000000002441000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs INV00987890.exe
                    Source: INV00987890.exe, 00000000.00000002.301301141.0000000002441000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevBtkGzLyUSgdZHxyNbFIvFKJMAULdLJZTRI.exe4 vs INV00987890.exe
                    Source: INV00987890.exe, 00000000.00000000.257615533.0000000000162000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameTNVeK.exe8 vs INV00987890.exe
                    Source: INV00987890.exe, 00000000.00000002.306417687.000000000345F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevBtkGzLyUSgdZHxyNbFIvFKJMAULdLJZTRI.exe4 vs INV00987890.exe
                    Source: INV00987890.exe, 00000000.00000002.306417687.000000000345F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs INV00987890.exe
                    Source: INV00987890.exe, 00000000.00000002.304708028.00000000027F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs INV00987890.exe
                    Source: INV00987890.exeBinary or memory string: OriginalFilename vs INV00987890.exe
                    Source: INV00987890.exe, 00000004.00000002.526824095.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevBtkGzLyUSgdZHxyNbFIvFKJMAULdLJZTRI.exe4 vs INV00987890.exe
                    Source: INV00987890.exe, 00000004.00000000.296745637.0000000000E32000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameTNVeK.exe8 vs INV00987890.exe
                    Source: INV00987890.exe, 00000004.00000002.528045461.00000000012F8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs INV00987890.exe
                    Source: INV00987890.exeBinary or memory string: OriginalFilenameTNVeK.exe8 vs INV00987890.exe
                    Source: INV00987890.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: INV00987890.exeVirustotal: Detection: 30%
                    Source: INV00987890.exeReversingLabs: Detection: 26%
                    Source: INV00987890.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\INV00987890.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: unknownProcess created: C:\Users\user\Desktop\INV00987890.exe "C:\Users\user\Desktop\INV00987890.exe"
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess created: C:\Users\user\Desktop\INV00987890.exe {path}
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess created: C:\Users\user\Desktop\INV00987890.exe {path}
                    Source: C:\Users\user\Desktop\INV00987890.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                    Source: C:\Users\user\Desktop\INV00987890.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\INV00987890.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\INV00987890.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INV00987890.exe.logJump to behavior
                    Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@3/6@3/1
                    Source: INV00987890.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\INV00987890.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\INV00987890.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\Desktop\INV00987890.exeMutant created: \Sessions\1\BaseNamedObjects\kfUWHizl
                    Source: 4.0.INV00987890.exe.400000.12.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.INV00987890.exe.400000.12.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.INV00987890.exe.400000.8.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.0.INV00987890.exe.400000.8.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.2.INV00987890.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 4.2.INV00987890.exe.400000.0.unpack, A/F1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Users\user\Desktop\INV00987890.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\INV00987890.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\INV00987890.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\INV00987890.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\INV00987890.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                    Source: C:\Users\user\Desktop\INV00987890.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: INV00987890.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: INV00987890.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 0_2_0016BA89 push ss; retf
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 0_2_0444307D push FFFFFF8Bh; iretd
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_00E3BA89 push ss; retf
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_069832A8 push es; iretd
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_069832A8 push es; iretd
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_0698179A push es; ret
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_06981792 push es; ret
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_0698178E push es; ret
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_06981782 push es; ret
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_069817B9 push es; ret
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_069817B2 push es; ret
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_069817AA push es; ret
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_069817A1 push es; ret
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_069817DA push es; ret
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_069817D1 push es; ret
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_069817CA push es; ret
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_0698A3C0 push es; ret
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_069817C2 push es; ret
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_069817EA push es; ret
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_069817E2 push es; ret
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_0698177A push es; ret
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_069818BD push es; ret
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_069840B1 push es; iretd
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_069818DD push es; ret
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_0698181A push es; ret
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_06981816 push es; ret
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_06981832 push es; ret
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_0698182A push es; ret
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_06981826 push es; ret
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_0698187E push es; ret
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_06981872 push es; ret
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.4693135193
                    Source: C:\Users\user\Desktop\INV00987890.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: INV00987890.exe PID: 6468, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: INV00987890.exe, 00000000.00000002.304517618.00000000027B7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: INV00987890.exe, 00000000.00000002.304517618.00000000027B7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\INV00987890.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\INV00987890.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\INV00987890.exe TID: 6560Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\INV00987890.exe TID: 244Thread sleep time: -19369081277395017s >= -30000s
                    Source: C:\Users\user\Desktop\INV00987890.exe TID: 5264Thread sleep count: 4935 > 30
                    Source: C:\Users\user\Desktop\INV00987890.exe TID: 5264Thread sleep count: 3609 > 30
                    Source: C:\Users\user\Desktop\INV00987890.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\INV00987890.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\INV00987890.exeWindow / User API: threadDelayed 4935
                    Source: C:\Users\user\Desktop\INV00987890.exeWindow / User API: threadDelayed 3609
                    Source: C:\Users\user\Desktop\INV00987890.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\INV00987890.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\INV00987890.exeThread delayed: delay time: 922337203685477
                    Source: INV00987890.exe, 00000000.00000002.304517618.00000000027B7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                    Source: INV00987890.exe, 00000000.00000002.304517618.00000000027B7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: INV00987890.exe, 00000000.00000002.304517618.00000000027B7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: INV00987890.exe, 00000000.00000002.304517618.00000000027B7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: INV00987890.exe, 00000004.00000002.533642050.0000000006A50000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000004.00000002.533756870.0000000006AF1000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000004.00000003.346614551.0000000006A69000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000004.00000003.345689651.0000000006A7F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: INV00987890.exe, 00000000.00000002.304517618.00000000027B7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                    Source: INV00987890.exe, 00000000.00000002.304517618.00000000027B7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: INV00987890.exe, 00000000.00000002.304517618.00000000027B7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                    Source: INV00987890.exe, 00000000.00000002.304517618.00000000027B7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: INV00987890.exe, 00000000.00000002.304517618.00000000027B7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\INV00987890.exeCode function: 4_2_069CB228 LdrInitializeThunk,
                    Source: C:\Users\user\Desktop\INV00987890.exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Modifies the hosts file
                    Source: C:\Users\user\Desktop\INV00987890.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\INV00987890.exeProcess created: C:\Users\user\Desktop\INV00987890.exe {path}
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Users\user\Desktop\INV00987890.exe VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Users\user\Desktop\INV00987890.exe VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\INV00987890.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Modifies the hosts file
                    Source: C:\Users\user\Desktop\INV00987890.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 4.0.INV00987890.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.INV00987890.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.INV00987890.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.INV00987890.exe.3599a00.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.INV00987890.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.INV00987890.exe.3553fa0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.INV00987890.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.INV00987890.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.INV00987890.exe.3553fa0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.526824095.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.295217525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.296078130.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.295669546.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.296713839.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.306417687.000000000345F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.529292759.0000000003171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INV00987890.exe PID: 6468, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: INV00987890.exe PID: 6764, type: MEMORYSTR
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\INV00987890.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\Desktop\INV00987890.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\Desktop\INV00987890.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Users\user\Desktop\INV00987890.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\INV00987890.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\INV00987890.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                    Source: C:\Users\user\Desktop\INV00987890.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\INV00987890.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\Desktop\INV00987890.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: Yara matchFile source: 00000004.00000002.529292759.0000000003171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INV00987890.exe PID: 6764, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 4.0.INV00987890.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.INV00987890.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.INV00987890.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.INV00987890.exe.3599a00.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.INV00987890.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.INV00987890.exe.3553fa0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.INV00987890.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.0.INV00987890.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.INV00987890.exe.3553fa0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.526824095.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.295217525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.296078130.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.295669546.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000000.296713839.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.306417687.000000000345F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.529292759.0000000003171000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: INV00987890.exe PID: 6468, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: INV00987890.exe PID: 6764, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		Path Interception11
                    Process Injection                    		1
                    Masquerading                    		2
                    OS Credential Dumping                    		1
                    Query Registry                    		Remote Services1
                    Email Collection                    		Exfiltration Over Other Network Medium1
                    Encrypted Channel                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    File and Directory Permissions Modification                    		1
                    Credentials in Registry                    		211
                    Security Software Discovery                    		Remote Desktop Protocol11
                    Archive Collected Data                    		Exfiltration Over Bluetooth1
                    Non-Standard Port                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
                    Disable or Modify Tools                    		Security Account Manager1
                    Process Discovery                    		SMB/Windows Admin Shares2
                    Data from Local System                    		Automated Exfiltration1
                    Non-Application Layer Protocol                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)131
                    Virtualization/Sandbox Evasion                    		NTDS131
                    Virtualization/Sandbox Evasion                    		Distributed Component Object ModelInput CaptureScheduled Transfer11
                    Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
                    Process Injection                    		LSA Secrets1
                    Application Window Discovery                    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common1
                    Deobfuscate/Decode Files or Information                    		Cached Domain Credentials1
                    Remote System Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items3
                    Obfuscated Files or Information                    		DCSync114
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job3
                    Software Packing                    		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    INV00987890.exe31%VirustotalBrowse
                    INV00987890.exe27%ReversingLabs
                    INV00987890.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    4.0.INV00987890.exe.400000.12.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.INV00987890.exe.400000.8.unpack100%AviraTR/Spy.Gen8Download File
                    4.2.INV00987890.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.INV00987890.exe.400000.6.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.INV00987890.exe.400000.10.unpack100%AviraTR/Spy.Gen8Download File
                    4.0.INV00987890.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    SourceDetectionScannerLabelLink
                    maviksel.com0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    http://www.founder.com.cn/cnR0%URL Reputationsafe
                    https://BJANwyE880kOV.net0%Avira URL Cloudsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.founder.c0%URL Reputationsafe
                    https://api.ipify.org%%startupfolder%0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.carterandcone.com0%URL Reputationsafe
                    http://www.tiro.comA0%Avira URL Cloudsafe
                    http://r3.i.lencr.org/00%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://fontfabrik.com0%URL Reputationsafe
                    http://www.fonts.comic0%URL Reputationsafe
                    http://www.founder.com.cn/cnk0%URL Reputationsafe
                    http://www.fonts.comnr20%Avira URL Cloudsafe
                    http://www.urwpp.de.0%URL Reputationsafe
                    http://x1.c.lencr.org/00%URL Reputationsafe
                    http://x1.i.lencr.org/00%URL Reputationsafe
                    http://www.fontbureau.comcom0%URL Reputationsafe
                    http://NEjfKK.com0%Avira URL Cloudsafe
                    http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
                    http://r3.o.lencr.org00%URL Reputationsafe
                    http://www.fontbureau.commn0%Avira URL Cloudsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.sandoll.co.krati0%Avira URL Cloudsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.urwpp.de0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://www.fontbureau.comalsdw0%Avira URL Cloudsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    https://api.ipify.org%0%URL Reputationsafe
                    http://maviksel.com0%Avira URL Cloudsafe
                    http://x1.i.lencr.org/0%URL Reputationsafe
                    http://www.fontbureau.comF0%URL Reputationsafe
                    http://www.sajatypeworks.coma-d%0%Avira URL Cloudsafe
                    http://cps.letsencrypt.org00%URL Reputationsafe
                    http://www.fontbureau.comueta0%URL Reputationsafe
                    http://www.fontbureau.comM0%Avira URL Cloudsafe
                    http://www.fontbureau.comdw0%Avira URL Cloudsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
                    http://www.fonts.comnte0%Avira URL Cloudsafe
                    http://www.fontbureau.coma0%URL Reputationsafe
                    http://www.fontbureau.comd0%URL Reputationsafe
                    http://www.fontbureau.comeM0%Avira URL Cloudsafe
                    http://mail.maviksel.com0%Avira URL Cloudsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.founder.com.cn/cn/0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    https://BJANwyE880kOV.net853321935-2125563209-4053062332-1002_Classes0%Avira URL Cloudsafe
                    http://www.fontbureau.comalic0%URL Reputationsafe
                    http://www.urwpp.dem0%Avira URL Cloudsafe
                    http://www.founder.com.cn/cns-m0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    maviksel.com
                    		162.215.253.210
                    		truetrueunknown
                    x1.i.lencr.org
                    		unknown
                    		unknownfalse
                      		unknown
                      mail.maviksel.com
                      		unknown
                      		unknowntrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1INV00987890.exe, 00000004.00000002.529292759.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://www.fontbureau.com/designersGINV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?INV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bTheINV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers?INV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.founder.com.cn/cnRINV00987890.exe, 00000000.00000003.267409325.000000000540D000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://BJANwyE880kOV.netINV00987890.exe, 00000004.00000002.531371637.00000000034F3000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.tiro.comINV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designersINV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.founder.cINV00987890.exe, 00000000.00000003.267436367.00000000053D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://api.ipify.org%%startupfolder%INV00987890.exe, 00000004.00000002.529292759.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		low
                                http://www.goodfont.co.krINV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.comINV00987890.exe, 00000000.00000003.271107327.00000000053DD000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.270816122.00000000053DD000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.270557812.00000000053DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.tiro.comAINV00987890.exe, 00000000.00000003.265410217.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.265488221.00000000053EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://r3.i.lencr.org/0INV00987890.exe, 00000004.00000002.531118006.00000000034D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.comINV00987890.exe, 00000000.00000003.264890640.00000000053EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netDINV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cn/cTheINV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmINV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comINV00987890.exe, 00000000.00000003.265410217.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fonts.comicINV00987890.exe, 00000000.00000003.265099327.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.265126207.00000000053EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnkINV00987890.exe, 00000000.00000003.267836467.00000000053D4000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.267986661.00000000053DB000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.267436367.00000000053D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fonts.comnr2INV00987890.exe, 00000000.00000003.265029682.00000000053EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.urwpp.de.INV00987890.exe, 00000000.00000003.276313639.00000000053D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://x1.c.lencr.org/0INV00987890.exe, 00000004.00000002.531118006.00000000034D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://x1.i.lencr.org/0INV00987890.exe, 00000004.00000002.531118006.00000000034D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.comcomINV00987890.exe, 00000000.00000003.274943515.00000000053D9000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.276313639.00000000053D9000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.275367663.00000000053DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://NEjfKK.comINV00987890.exe, 00000004.00000002.529292759.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://DynDns.comDynDNSnamejidpasswordPsi/PsiINV00987890.exe, 00000004.00000002.529292759.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://r3.o.lencr.org0INV00987890.exe, 00000004.00000002.531118006.00000000034D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.commnINV00987890.exe, 00000000.00000003.274943515.00000000053D9000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.276313639.00000000053D9000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.275367663.00000000053DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.galapagosdesign.com/DPleaseINV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sandoll.co.kratiINV00987890.exe, 00000000.00000003.266564650.00000000053D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fonts.comINV00987890.exe, 00000000.00000003.265029682.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.264949600.00000000053EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.sandoll.co.krINV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.266564650.00000000053D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.urwpp.deDPleaseINV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.urwpp.deINV00987890.exe, 00000000.00000003.276313639.00000000053D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.zhongyicts.com.cnINV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.comalsdwINV00987890.exe, 00000000.00000003.276313639.00000000053D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.sakkal.comINV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://api.ipify.org%INV00987890.exe, 00000004.00000002.529292759.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		low
                                  http://www.fontbureau.com/deINV00987890.exe, 00000000.00000003.278527778.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.278472905.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.281901697.0000000005402000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.279181554.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.280387812.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.281286258.000000000540D000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.280312610.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.278741035.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.281875487.00000000053FF000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.278224495.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.280120374.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.279720695.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.278188080.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.278682189.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.279603178.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.278155597.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.278710128.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.279112580.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.278278704.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.279325032.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.281707943.000000000540D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://maviksel.comINV00987890.exe, 00000004.00000002.531118006.00000000034D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.apache.org/licenses/LICENSE-2.0INV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.fontbureau.comINV00987890.exe, 00000000.00000003.276313639.00000000053D9000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000002.308767318.00000000053D0000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.298547621.00000000053D0000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D0.4.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.comFINV00987890.exe, 00000000.00000003.276313639.00000000053D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sajatypeworks.coma-d%INV00987890.exe, 00000000.00000003.265029682.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.265085729.00000000053F4000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.264743780.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.264685681.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.264814672.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.264852176.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.264630003.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.264949600.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.264890640.00000000053EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		low
                                        http://www.fontbureau.com/designers/cabarga.htmlpINV00987890.exe, 00000000.00000003.276526018.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.275998575.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.277261918.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.276292788.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.277989711.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.276145647.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.275621528.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.276978947.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.277921796.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.277735473.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.276553761.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.275946542.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.276699756.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.277295426.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.275437800.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.277761576.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.276877803.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.275842686.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.275718248.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.275888860.0000000005405000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.276098140.0000000005405000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://cps.letsencrypt.org0INV00987890.exe, 00000004.00000002.531118006.00000000034D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comuetaINV00987890.exe, 00000000.00000003.274943515.00000000053D9000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.275367663.00000000053DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comMINV00987890.exe, 00000000.00000002.308767318.00000000053D0000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.298547621.00000000053D0000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comdwINV00987890.exe, 00000000.00000003.274943515.00000000053D9000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.275367663.00000000053DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwINV00987890.exe, 00000004.00000002.529292759.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fonts.comnteINV00987890.exe, 00000000.00000003.265029682.00000000053EB000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.264949600.00000000053EB000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.fontbureau.comaINV00987890.exe, 00000000.00000002.308767318.00000000053D0000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.298547621.00000000053D0000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comdINV00987890.exe, 00000000.00000003.276313639.00000000053D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.comeMINV00987890.exe, 00000000.00000003.273991474.00000000053D8000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.274943515.00000000053D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://mail.maviksel.comINV00987890.exe, 00000004.00000002.531118006.00000000034D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.carterandcone.comlINV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.founder.com.cn/cn/INV00987890.exe, 00000000.00000003.267836467.00000000053D4000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlNINV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cnINV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmp, INV00987890.exe, 00000000.00000003.267409325.000000000540D000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/frere-jones.htmlINV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.fontbureau.com/designers/cabarga.htmlINV00987890.exe, 00000000.00000003.275437800.0000000005405000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.jiyu-kobo.co.jp/INV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://BJANwyE880kOV.net853321935-2125563209-4053062332-1002_ClassesINV00987890.exe, 00000004.00000003.317448459.00000000014C4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		low
                                                http://www.fontbureau.com/designers8INV00987890.exe, 00000000.00000002.309175319.0000000006662000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.comalicINV00987890.exe, 00000000.00000003.276313639.00000000053D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.urwpp.demINV00987890.exe, 00000000.00000003.276313639.00000000053D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.founder.com.cn/cns-mINV00987890.exe, 00000000.00000003.267409325.000000000540D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  162.215.253.210
                                                  		maviksel.comUnited States
                                                  		394695PUBLIC-DOMAIN-REGISTRYUStrue

                                                  General Information

                                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                                  Analysis ID:635170
                                                  Start date and time: 27/05/202216:20:102022-05-27 16:20:10 +02:00
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 10m 11s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:light
                                                  Sample file name:INV00987890.exe
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                  Number of analysed new started processes analysed:24
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal100.troj.adwa.spyw.evad.winEXE@3/6@3/1
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HDC Information:
                                                  • Successful, ratio: 0.1% (good quality ratio 0.1%)
                                                  • Quality average: 60.8%
                                                  • Quality standard deviation: 30.7%
                                                  HCA Information:
                                                  • Successful, ratio: 100%
                                                  • Number of executed functions: 0
                                                  • Number of non-executed functions: 0
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe
                                                  • Adjust boot time
                                                  • Enable AMSI

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                  • Excluded IPs from analysis (whitelisted): 23.50.97.168, 93.184.221.240, 173.222.108.210, 173.222.108.226
                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, e8652.dscx.akamaiedge.net, wu.ec.azureedge.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, arc.msn.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, login.live.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, cdn.onenote.net, crl.root-x1.letsencrypt.org.edgekey.net
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  16:21:31API Interceptor693x Sleep call for process: INV00987890.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  No context

                                                  Domains

                                                  No context

                                                  ASNs

                                                  No context

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                                  Download File
                                                  Process:C:\Users\user\Desktop\INV00987890.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):1391
                                                  Entropy (8bit):7.705940075877404
                                                  Encrypted:false
                                                  SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                  MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                  SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                  SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                  SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                  Malicious:false
                                                  Reputation:moderate, very likely benign file
                                                  Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                  Download File
                                                  Process:C:\Users\user\Desktop\INV00987890.exe
                                                  File Type:Microsoft Cabinet archive data, 61476 bytes, 1 file
                                                  Category:dropped
                                                  Size (bytes):61476
                                                  Entropy (8bit):7.995018321729444
                                                  Encrypted:true
                                                  SSDEEP:1536:NATLwfiuePkACih0/8uIwf5CiqGLhk1V/AFnGegJR:N7nePk5gKsoBha/0GTf
                                                  MD5:308336E7F515478969B24C13DED11EDE
                                                  SHA1:8FB0CF42B77DBBEF224A1E5FC38ABC2486320775
                                                  SHA-256:889B832323726A9F10AD03F85562048FDCFE20C9FF6F9D37412CF477B4E92FF9
                                                  SHA-512:61AD97228CD6C3909EF3AC5E4940199971F293BDD0D5EB7916E60469573A44B6287C0FA1E0B6C1389DF35EB6C9A7D2A61FDB318D4A886A3821EF5A9DAB3AC24F
                                                  Malicious:false
                                                  Reputation:moderate, very likely benign file
                                                  Preview:MSCF....$.......,...................I........w.........Tp. .authroot.stl.H#F..4..CK..<Tk...c_.d....A.F...,.&K..*i.RJJ..J.".%.KY"{n...."{..Lu3.Ln........y...........M.:...<. v...H..~.#Ov.a0xN....)..C..t.z.,x.00.1``L......L.\..1.|..2.1.0mD...H1/......G..UT7!...r.X:....D.0.0...M....I(.-.+..v#...(.r.....z.Y`&hw..Gl+.je.e.j..{.1......9f=.&.........s.W...L.].+...).f...u.....8....}R...w.X..>.A.Yw...a.x...T8V.e...^.7.q..t^.+....f.q).B.M......64.<!W(........D!.0.t "X...l.....D0.......+...A......0.o..t93.v..O1V x}H.S)....GH.6.l...p2.(4k.....!,.L`......h:.a]?......J9.\..Ww........%......a4E...q.*...#..a..y..M..R.t..Z2!.T.Ua.k.'O..\./ d.F>.V...3...._.J....."....wI..'..z...j..Ds...qZ...[..........O<.d.K..hH@c1....[w7..z...l....h,.b.........'.w.......bO.i{.......+.-...H..."<...L.Tu}.Y.lB.]3..4..G.3..`E..NF......{o.h]}p....G..$..4....;..&.O.d....v:Ik.T..ObLq..&.j.j...B9.(..!..\.:K`.....:O..N.....C..jD:.i.......1.....eCo.c..3o.........nN.D..3.7...

                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                                  Download File
                                                  Process:C:\Users\user\Desktop\INV00987890.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):192
                                                  Entropy (8bit):2.759454828358771
                                                  Encrypted:false
                                                  SSDEEP:3:kkFklFgPvfllXlE/zMcjxrXNNX8RolJuRdyo1dlUKlGXJlDdt:kKjPk1NpNMa8Rdy+UKcXP
                                                  MD5:1E734632A3B797F921CA36FCBA267555
                                                  SHA1:FB8E9CB639A6BD642026CB80134C8954087CD7B7
                                                  SHA-256:94D9398F502DE05859F4976BC6DFE4CB72FF4D3E80B898C3A8404B3DA3F63965
                                                  SHA-512:DE4945AF965CDACAF1C5C82D56ED577CDFF533364D4E5247F66813878AC3729EE2DC39DFC01C9121218446EB3A46011F22AD0F78B1B12B54546AA0A70093446B
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:p...... ........v.h.%r..(....................................................... ..........~....T..............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".5.a.6.2.8.1.5.c.-.5.6.f."...

                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                  Download File
                                                  Process:C:\Users\user\Desktop\INV00987890.exe
                                                  File Type:data
                                                  Category:modified
                                                  Size (bytes):328
                                                  Entropy (8bit):3.0985636032074564
                                                  Encrypted:false
                                                  SSDEEP:6:kKnmN+SkQlPlEGYRMY9z+4KlDA3RUecl7PG1:9kPlE99SNxAhUecl61
                                                  MD5:C02354F3A48768C5598D49EEFEA51317
                                                  SHA1:F03F057C0EC871499B069FC065FB34B0974B3F47
                                                  SHA-256:14E0058B73254FC3210F10EB51D5558E82481428D694CB368361CBCCEF22C8F9
                                                  SHA-512:FA8A54F6F4F8431B1778FEFB0A2CB8AFC88B88EB12054C87E28384A2B1AA45E0C7FA4B8766FFF15C084B5688CB4C2BD58CD8CFA82FAEEF764668A74A4EFFF618
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:p...... .........S.8&r..(....................................................... ........3f..o......&...........$...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.3.3.6.6.b.4.9.0.6.f.d.8.1.:.0."...

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INV00987890.exe.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\INV00987890.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1216
                                                  Entropy (8bit):5.355304211458859
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                  MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                  SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                  SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                  SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                  Malicious:true
                                                  Reputation:high, very likely benign file
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                  C:\Windows\System32\drivers\etc\hosts

                                                  Download File
                                                  Process:C:\Users\user\Desktop\INV00987890.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):835
                                                  Entropy (8bit):4.694294591169137
                                                  Encrypted:false
                                                  SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
                                                  MD5:6EB47C1CF858E25486E42440074917F2
                                                  SHA1:6A63F93A95E1AE831C393A97158C526A4FA0FAAE
                                                  SHA-256:9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
                                                  SHA-512:08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
                                                  Malicious:true
                                                  Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.457754043877134
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  • DOS Executable Generic (2002/1) 0.01%
                                                  File name:INV00987890.exe
                                                  File size:518144
                                                  MD5:fe5cab253ef5708d03dd6970e105b6c6
                                                  SHA1:d7d0ba487169c56e33e92064b482c2d56d5dba5e
                                                  SHA256:80f5923e2037f3596f2bebec849a1a55221c37c714d14eca6bdd35e12351ec7d
                                                  SHA512:d522c952a8f8b0b619b488fde6571182ed27628a66f9b309dfb204e13cf211be29800eb01493294937579a227fe5a928dbbd4228de6344e31c7c0f376a3565d8
                                                  SSDEEP:12288:VYEEIBxW7R0OfmlLBhek6U02K+olrtM5Jj:VxEMxW7WUmxHBH0lrtM5l
                                                  TLSH:90B4DF013BAC7A12E66BDB3550A1804453F2844FBA33E51E3EDF2CDF16A6B149760B79
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'..b..............P.............&.... ........@.. .......................@............@................................

                                                  File Icon

                                                  Icon Hash:00828e8e8686b000

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x47fd26
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                  Time Stamp:0x6290BC27 [Fri May 27 11:55:19 2022 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:v4.0.30319
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x7fcd40x4f.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x800000x5c0.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x820000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000x7dd2c0x7de00False0.779971837761data7.4693135193IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                  .rsrc0x800000x5c00x600False0.427734375data4.12439241181IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x820000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountry
                                                  RT_VERSION0x800900x330data
                                                  RT_MANIFEST0x803d00x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Version Infos

                                                  DescriptionData
                                                  Translation0x0000 0x04b0
                                                  LegalCopyrightCopyright HP Inc. 2019
                                                  Assembly Version1.0.4.0
                                                  InternalNameTNVeK.exe
                                                  FileVersion1.0.4.0
                                                  CompanyNameHP Inc.
                                                  LegalTrademarks
                                                  Comments
                                                  ProductNameFinal Setup
                                                  ProductVersion1.0.4.0
                                                  FileDescriptionFinal Setup
                                                  OriginalFilenameTNVeK.exe

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  May 27, 2022 16:21:53.984049082 CEST49753587192.168.2.3162.215.253.210
                                                  May 27, 2022 16:21:54.153772116 CEST58749753162.215.253.210192.168.2.3
                                                  May 27, 2022 16:21:54.153924942 CEST49753587192.168.2.3162.215.253.210
                                                  May 27, 2022 16:21:55.639431953 CEST58749753162.215.253.210192.168.2.3
                                                  May 27, 2022 16:21:55.639763117 CEST49753587192.168.2.3162.215.253.210
                                                  May 27, 2022 16:21:55.807671070 CEST58749753162.215.253.210192.168.2.3
                                                  May 27, 2022 16:21:55.807991028 CEST49753587192.168.2.3162.215.253.210
                                                  May 27, 2022 16:21:55.977329969 CEST58749753162.215.253.210192.168.2.3
                                                  May 27, 2022 16:21:56.085055113 CEST49753587192.168.2.3162.215.253.210
                                                  May 27, 2022 16:21:56.274815083 CEST58749753162.215.253.210192.168.2.3
                                                  May 27, 2022 16:21:56.274930000 CEST58749753162.215.253.210192.168.2.3
                                                  May 27, 2022 16:21:56.274964094 CEST58749753162.215.253.210192.168.2.3
                                                  May 27, 2022 16:21:56.278034925 CEST49753587192.168.2.3162.215.253.210
                                                  May 27, 2022 16:21:56.304992914 CEST49753587192.168.2.3162.215.253.210
                                                  May 27, 2022 16:21:56.473186970 CEST58749753162.215.253.210192.168.2.3
                                                  May 27, 2022 16:21:56.603131056 CEST49753587192.168.2.3162.215.253.210
                                                  May 27, 2022 16:22:00.993542910 CEST49753587192.168.2.3162.215.253.210
                                                  May 27, 2022 16:22:01.161530018 CEST58749753162.215.253.210192.168.2.3
                                                  May 27, 2022 16:22:01.163355112 CEST49753587192.168.2.3162.215.253.210
                                                  May 27, 2022 16:22:01.331542015 CEST58749753162.215.253.210192.168.2.3
                                                  May 27, 2022 16:22:01.336613894 CEST49753587192.168.2.3162.215.253.210
                                                  May 27, 2022 16:22:01.544559956 CEST58749753162.215.253.210192.168.2.3
                                                  May 27, 2022 16:22:01.627439976 CEST58749753162.215.253.210192.168.2.3
                                                  May 27, 2022 16:22:01.628704071 CEST49753587192.168.2.3162.215.253.210
                                                  May 27, 2022 16:22:01.796606064 CEST58749753162.215.253.210192.168.2.3
                                                  May 27, 2022 16:22:01.805218935 CEST49753587192.168.2.3162.215.253.210
                                                  May 27, 2022 16:22:02.006067038 CEST58749753162.215.253.210192.168.2.3
                                                  May 27, 2022 16:22:02.006397963 CEST49753587192.168.2.3162.215.253.210
                                                  May 27, 2022 16:22:02.175856113 CEST58749753162.215.253.210192.168.2.3
                                                  May 27, 2022 16:22:02.177301884 CEST49753587192.168.2.3162.215.253.210
                                                  May 27, 2022 16:22:02.177412033 CEST49753587192.168.2.3162.215.253.210
                                                  May 27, 2022 16:22:02.178045988 CEST49753587192.168.2.3162.215.253.210
                                                  May 27, 2022 16:22:02.178121090 CEST49753587192.168.2.3162.215.253.210
                                                  May 27, 2022 16:22:02.345071077 CEST58749753162.215.253.210192.168.2.3
                                                  May 27, 2022 16:22:02.345103025 CEST58749753162.215.253.210192.168.2.3
                                                  May 27, 2022 16:22:02.345554113 CEST58749753162.215.253.210192.168.2.3
                                                  May 27, 2022 16:22:02.345643044 CEST58749753162.215.253.210192.168.2.3
                                                  May 27, 2022 16:22:02.346275091 CEST58749753162.215.253.210192.168.2.3
                                                  May 27, 2022 16:22:02.400403976 CEST49753587192.168.2.3162.215.253.210

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  May 27, 2022 16:21:53.303886890 CEST6535853192.168.2.38.8.8.8
                                                  May 27, 2022 16:21:53.604362011 CEST53653588.8.8.8192.168.2.3
                                                  May 27, 2022 16:21:53.684684038 CEST5380253192.168.2.38.8.8.8
                                                  May 27, 2022 16:21:53.965389967 CEST53538028.8.8.8192.168.2.3
                                                  May 27, 2022 16:21:57.851927996 CEST6526653192.168.2.38.8.8.8

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                  May 27, 2022 16:21:53.303886890 CEST192.168.2.38.8.8.80x6cd5Standard query (0)mail.maviksel.comA (IP address)IN (0x0001)
                                                  May 27, 2022 16:21:53.684684038 CEST192.168.2.38.8.8.80xb842Standard query (0)mail.maviksel.comA (IP address)IN (0x0001)
                                                  May 27, 2022 16:21:57.851927996 CEST192.168.2.38.8.8.80x5f8fStandard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                  May 27, 2022 16:21:53.604362011 CEST8.8.8.8192.168.2.30x6cd5No error (0)mail.maviksel.commaviksel.comCNAME (Canonical name)IN (0x0001)
                                                  May 27, 2022 16:21:53.604362011 CEST8.8.8.8192.168.2.30x6cd5No error (0)maviksel.com162.215.253.210A (IP address)IN (0x0001)
                                                  May 27, 2022 16:21:53.965389967 CEST8.8.8.8192.168.2.30xb842No error (0)mail.maviksel.commaviksel.comCNAME (Canonical name)IN (0x0001)
                                                  May 27, 2022 16:21:53.965389967 CEST8.8.8.8192.168.2.30xb842No error (0)maviksel.com162.215.253.210A (IP address)IN (0x0001)
                                                  May 27, 2022 16:21:57.876038074 CEST8.8.8.8192.168.2.30x5f8fNo error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)

                                                  SMTP Packets

                                                  TimestampSource PortDest PortSource IPDest IPCommands
                                                  May 27, 2022 16:21:55.639431953 CEST58749753162.215.253.210192.168.2.3220-bh-73.webhostbox.net ESMTP Exim 4.94.2 #2 Fri, 27 May 2022 14:21:55 +0000
                                                  220-We do not authorize the use of this system to transport unsolicited,
                                                  220 and/or bulk e-mail.
                                                  May 27, 2022 16:21:55.639763117 CEST49753587192.168.2.3162.215.253.210EHLO 141700
                                                  May 27, 2022 16:21:55.807671070 CEST58749753162.215.253.210192.168.2.3250-bh-73.webhostbox.net Hello 141700 [102.129.143.42]
                                                  250-SIZE 52428800
                                                  250-8BITMIME
                                                  250-PIPELINING
                                                  250-PIPE_CONNECT
                                                  250-AUTH PLAIN LOGIN
                                                  250-STARTTLS
                                                  250 HELP
                                                  May 27, 2022 16:21:55.807991028 CEST49753587192.168.2.3162.215.253.210STARTTLS
                                                  May 27, 2022 16:21:55.977329969 CEST58749753162.215.253.210192.168.2.3220 TLS go ahead

                                                  Statistics

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:16:21:17
                                                  Start date:27/05/2022
                                                  Path:C:\Users\user\Desktop\INV00987890.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\INV00987890.exe"
                                                  Imagebase:0x160000
                                                  File size:518144 bytes
                                                  MD5 hash:FE5CAB253EF5708D03DD6970E105B6C6
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.306417687.000000000345F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.306417687.000000000345F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low

                                                  General

                                                  Target ID:4
                                                  Start time:16:21:34
                                                  Start date:27/05/2022
                                                  Path:C:\Users\user\Desktop\INV00987890.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:{path}
                                                  Imagebase:0xe30000
                                                  File size:518144 bytes
                                                  MD5 hash:FE5CAB253EF5708D03DD6970E105B6C6
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.526824095.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.526824095.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.295217525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.295217525.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.296078130.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.296078130.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.295669546.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.295669546.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000000.296713839.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000000.296713839.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.529292759.0000000003171000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.529292759.0000000003171000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low

                                                  Disassembly

                                                  No disassembly